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VPNs  may  be  well  established  in  the  corporate  world  but  they  still  can  present 
number  of  challenges.  Here  we  take  a  look  at  the  hottest  issues.  Page  13. 

Are  MPLS  VPNs  the  way  to  go?  ■  Should  I  build  my  own  VPN?  ■  Are  VPNs  good  for  VoIP? 
Will  MPLS  VPNs  save  me  money?  ■  Should  I  use  IPSec  or  SSL  for  remote  access  VPNs? 
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Big  Brother's  new 
software 

How  technology  is 
enhancing  the  scope 
of  video  surveillance. 

Page  14. 


WiMAX  WISPs 
sprouting  up 

Wireless  ISPs  are 
pushing  cost-effec¬ 
tive,  responsive  alter¬ 
natives  to  wireline 
and  Clearwire-Sprint. 
Page  16. 


No  excuses  — 
encrypt  all  laptops 

Security  columnist 
Andreas  Antono- 
poulos  says  with  new 
open  source  security 
packages,  there  are 
few  excuses  left:  All 
laptops  must  be  fully 
encrypted.  Page  20. 
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IBM/Lotus, 
Microsoft 
see  ‘unified' 
differently 


BY  JOHN  FONTANA 

IBM/Lotus  is  banking  on  the 
integration  of  its  Sametime  plat¬ 
form  and  collaboration  soft¬ 
ware  with  tools  from  telephony 
partners  to  fuel  its  climb  up  the 
ranks  of  unified  communica¬ 
tions  contenders. 

The  plan  is  to  marry  collabora¬ 
tion,  social  networking,  confer¬ 
encing  and  messaging  software, 
which  feature  open  protocols 
and  interfaces,  with  telephony 
wares  from  partners  such  as 
Cisco,  Nortel  and  Avaya  to  create 
a  UC  platform  that  corporations 
can  integrate  with  their  infra¬ 
structure  and  Web  services  pro¬ 
jects.  Integration  and  standards 
support  are  hallmarks  of  the  plat¬ 
form  that  features  voice,  e-mail, 
instant  messaging,  presence  and 
videoconferencing. 

The  model  is  much  different 
from  traditional  rival  Microsoft, 
which  eventually  hopes  to  sup¬ 
plant  telephony  vendors  by  re¬ 
inventing  the  PBX  in  software. 
And  it  is  different  from  Cisco, 
which  partners  with  IBM/Lotus 
but  is  taking  a  more  network 
approach  to  UC. 

IBM/Lotus,  on  the  other  hand, 
See  Lotus,  page  18 


Brocade/Foundry  put 
pressure  on  Cisco 


BY  JIM  DUFFY  AND  JON  BRODKIN 

Brocade’s  $3  billion  acquisition  of 
Foundry  Networks,  proposed  last  week, 
should  result  in  a  stronger  competitor  to 
Cisco  for  ownership  of  next-generation 
data  centers  in  which  storage,  server  and 
network  traffic  all  run  over  a  unified 
Ethernet-based  fabric. 

Brocade,  the  market  leader  in  Fibre 
Channel  storage-area  networks  (SAN),  sig¬ 
nificantly  broadens  its  product  portfolio 
with  a  collection  of  high-speed  Ethernet 
switching  technology  from  Foundry 
designed  to  support  increasingly  band¬ 
width-hungry  data  centers.  The  combina¬ 
tion  of  the  products  fits  with  Brocade’s 
Fibre  Channel-over-Ethernet  (FCoE)  direc¬ 
tion,  as  outlined  in  recent  months. 

“Brocade  has  said  that  they  will  intro¬ 
duce  a  router  that  will  allow  the  routing  of 
Fibre  Channel  over  Ethernet  for  both  Fibre 
Channel  and  Ethernet  SANs,”  says  Deni 
Connor,  principal  analyst  at  Storage 
Strategies  Now. “But  they  haven’t  had  a  lot 


Brocade/Foundry  deal  at  a  glance 

•  PRICE:  $3  billion 

•  COMBINED  REVENUE:  $1.8  billion 

•  KEY  TECHNOLOGIES:  Fibre 
Channel  SANs,  high-performance 
Ethernet  data  center  switching. 


of  experience  in  IP/Ethernet-centric  tech¬ 
nology  They  really  needed  more  Ethernet 
experience.  Foundry  gives  them  that.” 

Brocade’s  approach,  with  Foundry  in  tow, 
counters  Cisco’s  Data  Center  3.0  strategy 
though  Cisco’s  plan  is  much  broader.  Cisco 
has  an  investment  in  VMware  for  server  vir¬ 
tualization,  and  is  looking  to  manage  and 
orchestrate  all  data  center  resources  — 
switches,  servers,  storage  and  applications 
—  through  products  such  as  its  VFrame 
Data  Center  appliance. 

As  for  Foundry  the  company  has  been 
See  Brocade,  page  26 


NETWORKWORLD 


iSCSI  SAN  servers? 

NetApp  edges  Compellent,  HP,  Dell 

□  Test  of  12  servers  reveals  key  differences  in 
security  data  recovery  and  management  features. 

See  complete  test  results.  Page  32 


GO  ONLINE  FOR 


Feature-by-feature  analysis. 
Synopsis  of  each  product. 
Green  scorecard. 

Slideshow  of  test  results. 
www.nwdocfinder.com/5950 


Microsoft 


taking  on 


dragons. 


easy. 


1.  Put  the  fire  out. 

Knowing  what  to  do  if  there's  a  fire  is  always  smart. 
That  the  fire  spews  from  the  mouth  of  a  ferocious 
flying  serpent  should  make  no  difference. 


2.  Give  them  what  they  want. 

Dragons  desire  gold,  jewels,  and  princesses.  Have  any  treasure  around? 

A  nice  watch,  petty  cash,  your  silver  sales  award?  More  on  princesses  later. 


ft 


1 

3.  Use  the  shrink  spell. 

Arthurian  legend  tells  of  the  wizard  Merlin,  who  would  have  known 
how  to  shrink  an  unruly  dragon.  Magic  wand  and  spells  not  included. 


. 

4.  Ask  for  a  break. 


Searing  heat,  slashing  claws,  and  the  beating  wings  of 
hell  will  tire  anyone.  Say  you  need  a  break,  then  just  walk 
quickly  out  the  back. 


5.  The  princess  defense. 

That  temp  in  finance — bewigged,  begowned,  and  pushed  Dragon- 
ward — may  just  pass  for  a  princess. 


6,  Dragonslayer. 

You  learn  to  slay  Dragons  by  slaying  Dragons.  Win  this  one  and  you'll 
be  an  in-demand  consultant  to  other  Dragon-besieged  companies. 


1.  Implement  Microsoft  Forefront. 


Forefront  makes  defending  your  systems  easier.  It's  a  comprehensive,  simple- 
to-use,  integrated  family  of  products  that  helps  provide  protection  across  your 
client,  server,  and  network  edge.  Learn  how  Del  Monte  Foods  uses  the  Forefront 
family  of  products  to  help  defend  their  systems.  Visit  easyeasier.com 

Forefront  is  business  security  software  for  client,  server,  and  the  network  edge. 
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■  The  Pinnacle  Video  Transfer  lets 
you  back  up  different  video  sources 
without  having  to  go  through  a  PC. 
See  Cool  Tools,  page  30. 


30  Mark  Gibbs:  Something  to  sync 
about. 

30  Keith  Shaw:  Ease  of  use  makes  two 
devices  shine. 
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iSCSI  SAN  serve! 


NetApp  edges  Compellent,  HP,  Dell 

□  Test  of  12  servers  reveals  key  differences  in 
security  data  recovery  and  management  features. 
See  complete  test  results.  Page  32 
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fAS2.0$0.vvins  our  Clear  Choice  Test  thanks 


GO  ONLINE  FOR 


Feature-by-feature  analysis. 
Synopsis  of  each  product. 
Green  scorecard. 

Slideshow  of  test  results. 

www.nwdocfinder.com/5950 


GOODBADUGLY 

Get  yer  free  hypervisor  here 

VMware  said  it  will  offer  the  small- 
footprint  version  of  its  ESX  virtualiza¬ 
tion  software  free,  responding  to  pres¬ 
sure  from  Microsoft  and  other  com¬ 
panies  that  are  threatening 
VMware’s  lead  in  the  virtualization 
market.The  next  version  of  ESXi, 
Fwhich  will  come  in  about  a  week,  is  a 
basic  hypervisor,  which  is  technology 
that  separates  the  OS  from  server 
hardware  so  multiple  OSes  can  run  vir¬ 
tually  on  one  physical  server. 

Amazon’s  bad  day 

Amazon's  S3  cloud 
storage  service  suf¬ 
fered  eight  hours  of 
downtime  and  ele¬ 
vated  error  rates  in 
the  United  States 
and  Europe  on  July 
20.  The  outage  last¬ 
ed  several  hours  longerthan  a  similar 
problem  that  hit  the  service  in  February, 
disrupting  Web  sites  that  rely  on  the 
online  Simple  Storage  Service.  The 
social  networking  site  Twitter  was  dis¬ 
rupted  during  both  outages. 

Implicit  goes  after  big  names 
IBM,  SAP  and  Adobe  Systems  are  the 
latest  targets  of  patent  lawsuits  filed 
by  Implicit  Networks.  Implicit  claims  the 
companies  "are  violating  two  patents 
for  computer-server  software  that  per¬ 
forms  faster  security  functions," 
Bloomberg  News  reported.  Implicit 
filed  its  lawsuit  in  Washington  Western 
District  Court  on  July  15,  just  five 
months  after  suing  AMD,  Intel,  Nvidia, 
Sun,  Raza  Microelectronics  and 
RealNetworks  in  the  same  venue. 


A  snapshot  of  how  networkworid.com 
visitors  voted  on  a  key  networking  issue 
last  week: 

Is  open  source  software  more  of  a 
security  risk  than  proprietary 
software? 

Don’t  know  6% - 1 


i 

Yes 

19% 

No 

759 

f 

Total  voters  for  this  poll:  209 


Vote  and  discuss:  www.nwdocfinder.com/5951 


Best  price/performance 
running  Oracle®  Database 


SIMPLIFY  IT  AT 


Based  on  TPOC  by  Price/Performance  Version  5  Results  for  the  Dell™  PowerEdge’M  2900  III  i  •■.•AS 
running  Oracle  Database  llg  as  of  6/23/08 ..  See  www.tpc  org  for  current  results.  v  «•; 


PEERSAY 


Too  much  power 

Re:  Insider  threat  looms  large  as  San 
Francisco’s  network  crisis  plays  out  (www 
.nwdocfinder.com/593 1) : 

There’s  something  to  be  said  about  not  giv¬ 
ing  a  single  individual  too  much  control  over 
a  network.  At  some  point  in  time  you  have  to 
trust  people’s  ethical  compasses.  If  the  individ¬ 
ual  was  going  to  be  put  on  probation,  they 
should  have  started  protecting  themselves 
before  putting  the  individual  on  probation. 

Ckensek 

Discuss  at  www.nwdocfinder.com/5932 

Abuse  of  power 

Re:  Why  San  Fran-cisco’s  network  admin 
went  rogue  (www.nwdocfinder.com/5933): 

Finally  we  get  some 


real  insight  into 
what’s  been  happen¬ 
ing.  Definitely  can 
identify  with  this  guy  I 
love  the  fact  that  the 
techie  stands  up  to 
the  management 
yahoos  and  single- 

handily  exposes  their  horrific  management  of 
the  city’s  network. The  guy’s  got  guts,  for  sure. 

J.Will 

Discuss  at  www.nwdocfinder.com/5934 

VMware’s  advantages  over 
Microsoft 

I  was  reading  Jon  Brodkin’s  article  in  the  July 
14,  2008,  issue  about  the  CEO  change  at 
VMware  (www.nwdocfinder.com/5944). 

In  my  opinion,  I  feel  that  Jon  does  not  under¬ 
stand  the  technical  advantages  of  VMware 
over  Microsoft.  He  is  making  the  assumption 
that  Microsoft  has  won  the  virtualization  war 
due  to  price.  He  is  making  an  apples-to- 
oranges  comparison.  He  stated  that  Hyper-V  is 
free  with  Windows  Server  2008.  You  still  have 
to  buy  Windows  Server  2008  to  get  the  free 
Hyper-V  to  put  on  the  server  that  you  are  going 
to  use  for  virtualization.  We  have  an  EA  with 
Microsoft,  so  I  would  still  have  to  pay  $954  for 
the  Windows  server  to  put  Hyper-V  on.  He 
priced  the  ESXi  at  $495.  It  seems  to  me  ESXi  is 
half  the  price  of  Microsoft. 

►  SPECIAL  NETWORK  WORLD  FEATURE 


SCAN  THIS  CODE 
with  your  cell 
phone  to  get  the 
latest  IT  network 
news  delivered  to 
your  cellular 
device. 


**There  is  something  to  be 
said  about  not  giving  a  single 
individual  too  much  control 
over  a  network.55 
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To  get  the  client 
software,  use  your  phone  browser  to 
visit  wap.connexto.com 

For  more  information  on  code  scanning 
see  www.nww.com/codescan 

BMW 


VMware  also  offers  a  free  version  on  VMware, 
which  is  VMware  Server  that  can  be  loaded  on 
Windows  Server.  Now  that’s  an  apples-to-apples 
comparison.  VMware  has  VMware  ESXi  and 
VMware  Infrastructure  Enterprise  (VIE),  and 
Microsoft  has  nothing  to  compare  with  them  at 
this  time.  ESX  is  its  own  OS  that  sits  on  the  hard¬ 
ware.  What  this  gives  you  is  better  performance 
per  virtualized  machine. With  Hyper-V  you  have 
performance  requirements  for  the  basic  2008 
server  and  then  the  Hyper-V  application  that  is 
running  on  top  of  that  base  server. ESX  has  opti¬ 
mized  the  OS  before  you  start  using  the  virtual 
machines. 

We  are  a  hospital  that  runs  24/7  and  we  are 
also  a  Microsoft  shop;  we  have  about  90 
Microsoft  servers  in  our  environment.  Of  these 

90  servers,  we  have 
about  60  that  virtual¬ 
ized  into  a  VIE.  Even 
now  we  would  not  use 
Microsoft  due  to  the 
performance  advan¬ 
tages  of  VMware 
Infrastructure,  High 
Availability,  VMotion 
and  Distributed  Resource  Scheduler.  With 
these  systems  we  can  ensure  that  we  are  up  at 
all  times. 

1  am  sure  that  the  change  in  leadership  will 
be  a  good  thing  but,  in  my  opinion,  Microsoft 
has  a  long  way  to  get  where  VMware  is  at 
today  VMware  must  not  lose  its  focus,  or  it  will 
lose  out  to  Microsoft.  If  you  are  a  small  organi¬ 
zation,  Hyper-V  may  work  for  you.  If  and  when 
Microsoft  can  provide  something  comparable 
to  VIE,  we  would  look  at  it.  Next  time,  please 
make  sure  you  show  an  accurate  comparison 
between  the  two  products. You  can’t  compare 
the  speed  and  quality  of  a  Yugo  to  a  BMW 

Mark  Rose 

Discuss  at  www.nwdocfinder.com/5943 

Jon  Brodkin  responds:  Thanks,  Mark,  for  your 
comment.  I  believe  you  are  mistaken  in  saying 
that  “Jon  does  not  understand  the  technical 
advantages  of  VMware  over  Microsoft.”I  would 
like  to  direct  you  to  my  June  26  story,  “VMware 
trumps  Hyper-V  on  functionality,  but  not  on 
price"  (www.nwdocfinder.com/5945).  It  ex¬ 
plains  VMware’s  technology  advantages, 
including  live  migration,  the  ability  to  move  an 
application  running  on  a  virtual  server  from 
one  physical  device  to  another,  as  well  as  “hot 
add,”  the  ability  to  add  memory  to  a  virtual 
server  while  it’s  running.  It  also  discusses  the 
free  VMware  Server  you  mention  in  your  com¬ 
ment.  While  your  response  is  specifically 
directed  at  the  story  on  VMware’s  ouster  of 
Diane  Greene,  a  thorough  look  at  the  totality 
of  my  reporting  will  show  that  I  have  not 
ignored  the  issues  you  raise  and  am  well 
aware  of  them.  Thanks  for  reading. 

E-mail  letters  to  jdix@nww.com  or  send  them 
to  John  Dix,  editor  in  chief,  Network  World,  492 
Old  Connecticut  Path,  Framingham,  MA  01 701- 
9002.  Please  include  phone  number  and  address 
for  verification 
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GAMEPRO  VIDEO 


FTifci 


GamePro 

E3 Top  JO 
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Fun  apps  for  your 
iPhone  3G 

Keith  Shaw  brings  you 
six  fun  iPhone  apps  that 
will  surely  help  you  get 
through  boring  meet¬ 
ings. 

www.nwdocfinder.com/5927 


The  ‘intelligent'  TV 
Studio 

MakingTV  shows  can 
be  a  time-consuming 
task.  In  this  studio  of 
the  future  being  devel¬ 
oped  by  Japanese  pub¬ 
lic  broadcaster  NHK 
things  are  a  little  easier. 

www.nwdocfinder.com/5928 


The  best  games 
from  E3 

The  big  E3  video  games 
blow-out  is  coming  to 
an  end  in  Los  Angeles 
and  to  cap  off  the  week, 
here's  a  look  at  the  best 
10  games  of  E3  as 
ranked  by  Gamepro. 

www.nwdocfinder.com/5929 
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Focus  on  restore,  not  backup 


I BL0G08PHERE 


9  802.11n:  What’s  the  problem?  Craig 
Mathias  writes  in  his  Nearpoints  blog:  “OK, 
there's  a  chance  I've  been  a  tiny  bit  irrational¬ 
ly  exuberant  when  it  comes  to  802.11n,  but  I 
really  don't  think  so.  My  advice  has  been  uni¬ 
form  and  consistent —  buy  it.  Now.There's  no 
need  to  wait;  the  Wi-Fi  Alliance's  blessing  of 
Draft  2.0  should  be  all  the  assurance  one 
needs.  I  see  no  issues  in  upgrading  Draft  2.0 
products  (the  ones  I’ve  tested,  anyway)  to 
Draft  5.0  and  the  final  standard.  And,  while 
some  are  better  than  others,  all  .11n  products 
I’ve  tested  have  performance  that  is  certainly 
much  better  than  ,11g  or  .11a.  And  yet  I  still 
hear  and  read  that  not  everyone  agrees,  and 
many  still  buy  .Ilg.What  I  want  to  know  is  why. 
All  .1 1  n  products  are  backwards  compatible 
to  .11g  and/or  .11a.  When  running  in  back- 
wards-compatible  mode,  they  uniformly  yield 
“better  g  than  g"  performance,  so  purchasing 
.11n  to  work  in  .11g  mode  with  an  eye  towards 
an  eventual  .11  n  infrastructure  can  make 
sense."  www.nwdocfinder.com/5947 

■  Convergence  improves  airport  com¬ 
munications.  Matthew  Nickasch  writes  in 
Considering  Convergence:  “At  a  specific 
regional  airport  in  the  southeastern  U.S.,  the 
use  of  converged  telephony  was  in  full  force. 
Utilizing  a  Cisco  CallManager,  the  airport 
provided  leased  telephony  resources  to  each 
carrier  operating  out  of  the  airport.  With  con¬ 
stant  gate  changes  and  check-in  counters 
among  carriers,  a  traditional  telephony  envi¬ 
ronment  wasn't  going  to  work  effectively. 
Instead,  carrier  employees  simply  logged  in 
and  out  of  the  IP  phones  as  needed,  and  calls 
were  directed  to  the  proper  location,  regard¬ 
less  of  location  changes  among  carriers. 
Ultimately,  the  need  for  constant  moves, 
adds,  and  changes  was  nearly  non-existent. 
Not  only  did  this  simplify  communications 
among  the  carriers,  it  also  relieved  the  need 
for  multiple  and  separate  PBX  switches,  and 
system  management  became  nearly  non¬ 
existent."  www.nwdocfinder.com/5948 

■  Is  Live  Search  making  headway 
against  Google?  Mitchell  Ashley  writes  in 
Converging  on  Microsoft:  “It's  a  marginal 
gain  but  a  gain  nonetheless.  The  June  num¬ 
bers  show  Microsoft’s  Live  Search  gained  0.3 
percentage  points,  putting  them  at  9.2%. 
Google  lost  that  same  amount.  (Yahoo  also 
gained.)  Is  Microsoft’s  Live  Search  strategy 
working?  Frankly  I’m  surprised  Microsoft  is 
already  at  9.2%  of  the  U.S.  Web  search  mar¬ 
ket.  Obviously  an  acquisition  of  some  or  all  of 
Yahoo  by  Microsoft  would  greatly  accelerate 
the  quest  for  market  share,  but  that’s  any¬ 
thing  but  certain  these  days. 
www.nwdocfinder.com/5949 


Small  business  networking:  Everyone 
always  worries  about  backup,  backup,  backup. 
Guess  what?  None  of  your  users,  or  managers 
for  that  matter,  care  one  bit  about  backup.  All 
they  want  is  restore,  and  they  want  it  immedi¬ 
ately  So  shift  your  focus  from  backup  to 
restore.True,this  is  a  bit  of  a  semantic  trick, 
because  you  only  have  files  to  restore  if 
you’ve  done  a  backup.  But  the  type  of  restora¬ 
tion  you  plan  to  do  makes  a  big  difference  in 
the  type  of  backup  you  choose.  There  are 
three  types  of  data  restoration,  at  least  for  our 
discussion  today  First,  you  want  to  restore  files 
to  the  same  computer  the  files  came  from. 
This  is  the  most  common  restoration,  and 
applies  to  data  files  rather  than  operating  sys¬ 
tem  or  application  program  files.  Let’s  call  this 
personal  file  restoration.  Second, you  may 
want  the  ability  to  restore  files  to  any  comput¬ 
er  you  have,  such  as  your  laptop  while  travel¬ 
ing  or  a  friend’s  computer  if  you’re  on  vaca¬ 
tion.  Sometimes  companies  organize  com¬ 
mon  files  on  the  local  file  server  and  in  a 
common  area  on  the  backup  system,  so  any¬ 
one  can  download  the  latest  version  of  a 
work  file  while  at  home.  Let’s  call  this  group 
file  restoration.  Finally  you  may  not  care  much 
about  individual  files  but  rather  about  the 
entire  hard  disk  for  the  fastest  recovery  after  a 
disk  failure.These  are  called  system  restores, 
and  they  work  by  saving  an  image  of  your 
hard  disk,  operating  system  and  applications 


files,  and  the  data  files  you’ve  created. 

www.nwdocfinder.com/5922 

Tech  exec:  In  a  special  report  on  virtualiza¬ 
tion,  Gartner  says  “Virtualization  is  the  highest- 
impact  issue  changing  infrastructure  and 
operations  through  2012,  changing  how  and 
what  you  buy  as  well  as  how  you  manage  it.” 
Those  are  some  pretty  strong  words,  even  for 
Gartner.  The  research  firm  believes  that  virtu¬ 
alization  is  allowing  organizations  to  get  more 
out  of  their  infrastructure.  As  a  proof  point, 
Gartner  cites  a  small  decline  in  the  x86  server 
market  in  2006  as  fewer  physical  servers  are 
needed  to  run  more  virtualized  applications. 
www.nwdocfinder.com/5923 

IT  careers  and  training:  Back  in  April  we 

discussed  research  that  found  IT  job  security 
was  dropping  five  times  faster  than  the  nation¬ 
al  average.  But  some  new  research  shows  a 
rosier  view,  with  numerous  technology  skills 
being  labeled  as“recession-proof.”You’re  in 
good  shape  if  you’re  skilled  in  software  design 
and  development,  networking  and  system 
administration,  database  administration,  busi¬ 
ness  analysis  software  implementations  and 
software  testing. Workers  in  these  five  profes¬ 
sions  were  among  the  top  25  “most  wanted 
U.S.job  candidates”  in  the  120-day  period  end¬ 
ing  July  7,  according  to  an  analysis  by  Jobfox. 
www.nwdocfinder.com/5924 
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IBM  System  x3550  Express 

$2,205 


OR  S56/MONTH  FOR  36  MONTHS’ 

IBM  System  x3550™  Express.  It’s  designed  to  stay  up  and 
running  and  help  reduce  system  downtime.  In  fact,  it  can 
even  identify  a  potential  problem  before  it  becomes  one. 
And  if  you  ever  have  to  replace  a  component,  you  can  do 
that  without  having  to  shut  down.  Just  one  more  way  the 
x3550  Express  keeps  downtime  down. 

From  the  people  and  Business  Partners  of  IBM. 

It’s  innovation  made  easy. 


RUN  YOUR  CRITICAL  APPLICATIONS  WITH  CONFIDENCE. 


PN:  7978EJU  _ _ _ _ 

Featuring  up  to  two  Quad-Core  Inter  Xeorf  Processors  E5430  2.66GHz 
Hot-swap  redundant  cooling  for  high  availability _ 

Includes  IBM  Director  and  PowerExecutive  to  help  manage  power 
consumption,  increase  uptime,  reduce  costs  and  improve  productivity 
3-year  on-site  limited  warranty1 2 * *  on  parts  and  labor 


IBM  SYSTEM  STORAGE™ 
DS3400  EXPRESS  KIT 

$13,793 

OR  $352/M0NTH  FOR  36  MONTHS’ 


PN:  1726-42U _ _ _ _ 

All-in-one  kit  makes  it  easier  to  migrate  from  your  DAS  network  to  SAN 
Includes  IBM  System  Storage  DS3400  Dual  Controller,  four  IBM  Emulex  42C2069 
4Gb/s  PCI  Express  HBAs,  Brocade  SAN  8  Port  Fibre  Channel  switch  (16  total 
ports),  twelve  4Gb/s  SFPs,  and  eight  5-meter  optical  LC  cables 
Emulex  EZ  Pilot'"  installation/management  software  included 


IBM  TIVOLI5 *  CONTINUOUS  DATA  PROTECTION  FOR  FILES 

$42  per  user 


PN:  D613ALL _ _ _ 

Save  and  recovery  technology  enables  file  recovery  to  any  point  in  time 
Continuous  Data  Protection  (CDP)  protects  your  data  from  the  aftermath  of  a  virus 
attack  or  user  error _ _ _ _ _ 

Up  to  3  backup/replication  areas  help  protect  against  corruption,  file  loss  or 
system  loss 


COMPLIMENTARY  SYSTEMS  ADVISOR  TOOL 

Want  to  find  the  right  server  or  storage  system  for  you? 

Our  Systems  Advisor  Tool  can  help.  Just  give  the  tool  a  little 
input,  and  it  will  identify  products  that  can  help  meet  your 
business  needs.  Get  started  now  at  ibm.com/systerns/uptime 


m 


=  5=  ~E  express 
:§=====§  ?=,,  advantage7 


lbm.com/systems/uptime 
1  866-872-3902  (mention  6N8AH04A) 


1.  IBM  Globa!  Financing  offerings  are  provided  through  IBM  Credit  ILC  in  the  United  States  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers.  Monthly  payments  provided  are  for  planning  purposes 
only  and  may  vary  based  on  your  credit  and  other  factors.  Lease  otter  provided  is  teed  on  an  FMV  lease  of  36  monthly  payments.  Other  restrictions  may  apply  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without  notice. 

2.  IBM  hardware  products  are  manufactured  from  new  parts,  or  new  arid  serviceable  used  parts  Regardless,  our  warranty  terms  apply.  For  a  copy  of  applicable  product  warranties,  visit  ibm.com/servers/supporf/machine_warranties  or  write  to:  Warranty 
Information,  P.0  Box  12195.  RTF.  NC  27/09,  Attn:  Dept.  JDJA/B203.  IBM  makes  no  representation  or  warranty  regarding  third-party  products  or  services,  including  those  designated  as  ServerProveif  or  ClusterProven’  Telephone  support  may  be  subject 

to  additional  charges  For  on-site  labor,  IBM  will  attempt  to  diagnose  and  resolve  the  problem  remotely  before  sending  a  technician  On-site  warranty  is  available  only  for  selected  components  Optional  same-day  service  response  is  available  Ion  select 

systems!  at  an  additional  charge.  IBM,  the  IBM  logo,  IBM  Express  Advantage,  System  x  and  System  Storage  are  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  For  a  complete  list  ot  IBM  Trademarks, 

see  ibrn.com/tegal/copytrade.shtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U.S.  and  other  countries  All  other  products  may  be  trademarks  or  registered  trademarks  of  their  respective 

companies.  All  prices  and  savings  estimates  are  based  upon  IBM's  estimated  retail  selling  prices  as  ot  03/24/2008  Prices  and  actual  savings  may  vary  according  to  configuration.  Resellers  set  their  own  prices,  so  reseller  prices  and  actual  savings  to  end 

users  may  vary.  Products  are  subject  to  availability.  This  document  was  developed  for  offerings  in  the  United  Skates  IBM  may  not  otter  the  products,  features,  or  services  discussed  in  this  document  in  other  countries.  Prices  are  subject  to  change  without 
notice  Starting  price  may  not  include  a  hard  drive,  operating  system  or  other  features  Contact  your  IBM  representative  or  IBM  Business  Partner  for  the  most  current  pricing  in  your  geographic  area.  ©  2008  IBM  Corporation.  All  rights  reserved. 
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Head  of  Microsoft’s  online 
group  to  be  Juniper  CEO 

Just  under  a  week  after  Microsoft  released  financial  earnings 
dragged  down  by  its  online  services  group,  the  head  of  its 
online  operations,  Kevin  Johnson,  is  leaving  the  company 
and  taking  the  CEO  position  at  Juniper  Networks.  Microsoft  plans 
to  divide  its  Platforms  and  Services  division,  the  group  Johnson 
led,  into  the  Windows/Windows  Live  group  and  an  Online  Ser¬ 
vices  group.  Johnson  has  been  with  Microsoft  since  1992.“In  some 
ways,  he  has  had  a  career  trajectory  somewhat  like  Steve  Ballmer’s 
own.  He  was  definitely  on  the  short  list  of  people  who  would  be  a  potential  CEO 
replacement,” says  Rob  Helm,  an  analyst  with  Directions  on  Microsoft.Yet,he  was  in 
a  difficult  position  as  head  of  the  online  services  business,  which  reported  a  $488 
million  loss  in  operating  income  for  its  fourth  quarter,  more  than  double  the  $210 
million  operating  loss  the  division  saw  last  year,  www.nwdocfinder.com/5952 


Attack  code  released  for  new  DNS 
attack.  Hackers  have  released  software 
that  exploits  a  recently  disclosed  flaw  in 
the  Domain  Name  System  software  used  to 
route  messages  between  computers  on  the 
Internet. The  attack  code  was  released  last 
week  by  developers  of  the  Metasploit  hack¬ 
ing  tool  kit.  Internet  security  experts  warn 
that  this  code  may  give  criminals  a  way  to 
launch  virtually  undetectable  phishing 
attacks  against  Internet  users  whose  service 
providers  have  not  installed  the  latest  DNS 
server  patches.  Attackers  could  also  use  the 
code  to  silently  redirect  users  to  fake  soft¬ 
ware  update  servers  in  order  to  install  mali¬ 
cious  software  on  their  computers.  The  bug 
was  first  disclosed  by  lOActive  researcher 
Dan  Kaminsky  earlier  this  month,  but  tech¬ 
nical  details  of  the  flaw  were  leaked  onto 
the  Internet  last  week,  making  the  Meta- 
sploit  code  possible. 
www.nwdocfinder.com/5953 

IT  worker  confidence  hits  all-time  low. 

Now  more  than  ever  American  IT  workers 
fear  the  weakening  U.S.  economy  will  impact 
their  ability  to  find  and  keep  jobs  in  high- 
tech,  according  to  new  research  commis¬ 
sioned  by  Technisource  and  conducted  by 
Harris  Interactive.  Seventy  percent  of  456  IT 
employees  polled  in  the  second  quarter 
believe  the  economy  is  getting  weaker  and 
nearly  60%  said  it  appears  to  them  that  there 
are  fewer  IT  jobs  available.  In  addition,  the 
number  of  high-tech  workers  who  said  they 
don’t  feel  confident  in  their  ability  to  find  a 
new  job  increased  from  16%  in  the  first  quar¬ 
ter  to  20%  in  the  second  quarter. The  results 
are  part  of  a  larger  study  of  more  than  8,000 
U.S.  employed  adults  performed  quarterly 
since  2005  to  gauge  the  confidence  level  of 
American  workers.  For  IT  workers,  the  second 


quarter  of  2008  marks  an  all-time  low  in  con¬ 
fidence  and  perceived  health  of  the  market 
for  high-tech  jobs. 

www.nwdocfinder.com/5954 

Sun  veterans  form  data-access  start¬ 
up.  A  start-up  founded  by  veterans  of  Sun 
says  it  is  developing  a  data  access  product, 
apparently  targeted  at  the  Web  2.0  and  cloud 
computing  realms.  Schooner  Information 
Technology,  which  is  in  stealth  mode,  was 
founded  by  CEO  John  Busch  and  CTO 
Thomas  McWilliams.  Busch  was  research 
director  of  computer  system  architecture  and 
analysis  at  Sun  laboratories  from  1999 
through  2006,  and  McWilliams  was  a  distin¬ 
guished  engineer  and  principal  investigator 
for  Sun  from  1996  to  2001.  Schooner 
describes  itself  as  “an  early  stage  start-up 
focused  on  delivering  next  generation  data 
access  solutions  for  Web  2.0  and  enterprise 
customers.”  A  beta  program  is  available  on 
the  company’s  Web  site,  and  Schooner  is 
recruiting  new  talent. 
www.nwdocfinder.com/5955 

EMC  revenue,  profit  defy  economic 
woes.  EMC’s  revenue  grew  18%  in  the  sec¬ 
ond  quarter,  which  ended  June  30,  a  result 
the  company  attributes  to  massive  growth  in 
the  data  enterprises  need  to  store.  The  com¬ 
pany  brought  in  $3.67  billion  worldwide  in 
the  quarter,  up  from  $3.12  billion  a  year  ear¬ 
lier.  Revenue  even  rose  10%  in  the  United 
States,  defying  the  country’s  economic  woes, 
while  gaining  more  in  all  of  EMC’s  other 
regions  around  the  world. The  results  beat 
expectations  of  analysts,  who  had  predicted 
revenue  of  $3.56  billion,  according  to  a 
Thomson  Financial  survey. The  sales  gains 
boosted  EMC’s  profit  as  well,  with  net  income 
reaching  $377.5  million,  or  $0.18  per  share,  up 


from  $334.4  million,  or  $0.16  per  share,  in  last 
year's  second  quarter. 

www.nwdocfinder.com/5956 

NIST  preps  tool  to  predict  vulnerabili¬ 
ties.  Researchers  at  the  National  Institute  of 
Standards  and  Technology  are  touting  a  new 
tool  that  uses  security  metrics  and  network 
pathways  to  predict  attack  risks  and  poten¬ 
tially  help  IT  folks  keep  ahead  of  network 
security  battles.  In  research  announced  this 
week,  NIST  scientists  said  they  are  building  a 
tool  that  generates  and  analyzes  data  from 
attack  graphs.  Attack  graphs  generally  show 
how  a  hacker  would  exploit  system  vulnera¬ 
bilities.  NIST  computer  scientist  Anoop 
Singhal  said  his  team  at  George  Mason 
University  determines  risk  by  using  these 
attack  graphs  and  NIST’s  National  Vulnera¬ 
bility  Database,  which  includes  a  collection 
of  security-related  software  weaknesses  that 
are  ranked  according  to  their  severity  For 
each  path  in  an  attack  graph,  the  NIST 
researchers  assign  an  attack  probability 
based  on  the  system  components  involved 
and  related  scores  in  the  NVD  database. 
www.nwdocfinder.com/5957 

SAP  shutters  TomorrowNow  subsidiary. 

SAP  plans  to  close  its  TomorrowNow  software 
maintenance  subsidiary  by  Oct.  31,  having 
failed  to  find  a  buyer  for  the  company  SAP 
bought  TomorrowNow  in  2005  to  get  closer  to 
customers  of  its  arch-rival  Oracle,  which  had 
acquired  PeopleSoft,JD  Edwards  and  Siebel. 
However,  in  March  2007  Oracle  filed  a  lawsuit 
alleging  that  TomorrowNow  employees  had 
illegally  downloaded  support  materials  for 
PeopleSoft  and  JD  Edwards  products  from  an 
Oracle  Web  site.  Last  November,  SAP 
announced  the  resignation  of  Tomorrow- 
Now’s  management  team,  and  said  it  was 
considering  selling  the  company.  Both  moves 
were  seen  as  ways  for  SAP  to  distance  itself 
from  the  activities  of  its  subsidiary  and  clean 
up  its  reputation.  SAP  says  it  will  help 
TomorrowNow’s  225  customers  find  new  sup¬ 
port  providers  before  the  company  closes  its 
doors,  www.nwdocfinder.com/5958 

U.S.  poised  for  broadband  explosion. 

The  United  States  has  fallen  behind  on 
broadband  penetration,  but  that  will  change 
in  the  next  four  years,  according  to  a  report 
from  Gartner.  In  2012, 77%  of  all  American 
households  are  predicted  to  be  accessing  the 
Internet  via  broadband,  compared  with  54% 
last  year,  the  report  stated.  Gartner’s  analysts 
have  put  together  a  list  of  17  countries  that  all 
are  expected  to  have  penetration  levels  that 
exceed  60%  in  2012.  Last  year,  1 1  countries  on 
that  list  were  ahead  of  the  United  States,  but 
in  four  years,  only  South  Korea,  the  Nether¬ 
lands,  Hong  Kong  and  Canada  will  lead  it  in 
household  broadband  penetration. 
www.nwdocfinder.com/5959 
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READY 


FOR  THE  FUTURE. 

THE  MOST  SCALABLE  PoE  SOLUTION  ON  THE  MARKET  TODAY 
IS  READY  FOR  THE  IPv6  NETWORK  OF  TOMORROW. 


C>  >2008  Foundry  Networks,  inc.  All  rights  reserved. 


BECOME  A  BELIEVER 


Secure.  Scalable.  Future-proofed.  Call  it  what  you  will.  When  you  install  a  Foundry 
switch  today,  you're  ready  for  tomorrow.  Our  enterprise  solutions  provide  a  range  of 
compact  and  modular  form  factors  to  satisfy  your  most  demanding  needs,  including 
support  for  1 0GbE,  Advanced  Layer  2,  IPv4,  IPv6,  and  PoE.  Foundry's  extensive  suite 
of  access  control  and  embedded  security  features,  including  closed  loop  threat 
mitigation,  protects  your  network  from  internal  and  external  attacks.  And  thanks  to 
our  open  standards  approach,  you're  free  to  incorporate  best-of-breed  solutions 
from  any  vendor  you  choose.  When  you're  ready  for  your  next  switch,  make  sure 
your  switch  is  ready  for  your  future,  foundrynet.com/believer 
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NAC:  usefulness  vs.  cost 

Network  World  recently  conducted  our  first  live  chat  face-off 
with  two  security  experts  who  hold  opposing  views  on  the 
value  of  network  access  control.  On  the  pro-NAC  side  was  Joel 
Snyder,  senior  partner  with  Opus  One,  and  a  member  of 
Network  World  Lab  Alliance.  On  the  con  side  was  Richard 
Stiennon,  founder  of  Seccom  Global  and  author  of  the 
Stiennon  on  Security  blog  for  Network  World.  What  follows  is  a 
partial  transcript.  Read  the  full  transcript  at  www.nwdocfind- 
er.com/5946. 


Moderator-Julie:How  do  each  of  you 
define  NAG? 

Snyder  NAC  is  User-Focused,  Network 
Based,  Access  Control.  NAC  changes  how 
we  do  access  control. That’s  the  “AC”  in  NAC. 
And  it’s  NETWORK  Access  Control. That’s 
the  “N.”With  NAC,  What  You  Are  Allowed  To 
Do  =  Who  You  Are  -t-Your  Endpoint  Security 
Status  +  How  You  Behave.That  =  is  not  a  sta¬ 
tic  =  either;  it’s  f(),a  continuously  evaluated 
function. This  is  not  discrete  math;  it’s  calcu¬ 
lus.  Thus,  What  You  Are  Allowed  To  Do 
(ACCESS  CONTROL)  is  continuously  evalu¬ 
ated  based  on  things  that  change,  largely 
How  You  Behave. 

In  simpler  terms,  AC  =  Auth  [Authentica¬ 
tion]  +  EPC  [End  Fbint  Control]  +  NBAD 
[Network  Behavior  Anomaly  Detection], 
Anyone  who  does  NAC  has  to  decide 
which  of  these  three  components  is  impor¬ 
tant,  and  how  important.  Thus,  you  can 
have  NAC  solutions  which  are  100%  EPC 
and  0%  Auth  and  0%  NBAD. You  can  have 
some  which  are  100%  Auth  and  0%  EPC 
and  0%  NBAD.  And  you  can  even  have 
some  where  AC  =  0%,  because  all  they’re 
doing  is  getting  a  report. . . .  It’s  a  technology 
Not  a  product. 

Stiennon:  Sheesh.  1  knew  NAC  was  compli¬ 
cated  but  I  thought  it  would  be  easier  to 
define.  Like:  NAC  is  access  control  on 
steroids.  It  adds  machine  state,  as  in  config¬ 
uration,  virus  signatures,  etc.  to  the  access 
control  equation. The  concept  was  intro¬ 
duced  by  Cisco  in  2003  as  a  solution  to  the 
problem  created  by  MSBlaster:  networks 
getting  infected  by  laptops  brought  into 
work.  Like  other  things  on  steroids,  NAC  is 
prone  to  heart  failure,  internal  bleeding, 
complications  and  just  plain  ugly  appear¬ 
ances. 

Moderatoisiulie:  What  do  you  see  as  the 
value  of  NAG? 

Snyder:  Look,  NAC  is  important  for  one 
key  reason:  it  changes  our  focus.  For  years 
and  years  we’ve  spent  our  time  being 


focused  on  the  perimeter.  Then  we  start¬ 
ed  to  look  inside.  But  we  have  always 
been  focused  on  IP  addresses:  poke  hole 
in  firewall  for  IP  A  to  get  to 
IP  B  on  port  C.The  same  is 
true  with  IPsec.  Even 
though  people  have  had 
the  opportunity  to  do  fine¬ 
grained  VPN,  no  one  does 
because  the  products  make 
it  a  nightmare.  It  was.  Let’s 
get  some  history  in  here. 

Then  SSL  VPN  came 
around  and  needed  a 
hook,  and  the  hook  that  caught  was  “per¬ 
user  policy”  All  that  blabbing  about  policy 
on  firewalls  was  no  good  without  tools, 
and  suddenly  the  SSL  VPN  guys  had  it.  We 
could  put  people  into  groups  and  focus 
on  the  USER  for  our  security  policy  — 
which  is  as  God  intended  it.  Not  the  IP 
address,  but  the  person. 

NAC  is  taking  this  kind  of  USER-FOCUS 
and  bringing  it  into  the  world  of  the  net¬ 
work.  It  is  a  tool  for  doing  USER-FOCUSED 
NETWORK-BASED  ACCESS  CONTROLS. 
That’s  what  NAC  is,  and  that’s  why  NAC  is  so 
exciting.  And,  of  course,  the  “user”  is  actually 
the  sum  of  “the  user  person”  and  “the 
device  they’re  using,”  since  to  a  network 
guy  like  me  the  user  and  the  laptop/desk¬ 
top  are  the  same  entity  That’s  why  NAC  is 
exciting.  It  lets  us  take  security  where  we 
couldn’t  do  it  before. 

Stiennon:  Ewww,  hold  on  while  I  clear  my 
palate.  1  am  a  network  guy,  too,  but  1  do  not 
want  to  go  places  I  have  not  gone  before.  I 
agree  that  NAC  changes  focus.  It  changes  it 
away  from  security  and  networking  and 
toward  infrastructure  and  desktops.  At  a 
detriment  to  overall  security 
Snyder.  You’d  have  to  explain  the  detriment 
part  to  me,  because  1  don’t  get  it.  (He  opens 
the  door  wide...) 

Stiennon:  OK,  Look  at  it  this  way.  We  are 
in  an  era  of  greater  and  greater  threats. 
We  have  Chinese  hackers  in  our  net¬ 


works.  Insiders  stealing  IDs  and  credit 
cards.  Bots  and  DDoS  threats.  And  for 
some  reason  during  all  of  this  violent 
change  vendors  such  as  Cisco,  Microsoft, 
etc.  want  us  to  stop  everything  and  imple¬ 
ment  their  particular  brand  of  binding 
between  machines  and  networks.  NAC  is 
not  a  security  solution  at  all. 

Snyder  Are  you  making  a  zero-sum  game 
argument  here?  That  if  we  spend  time  on 
NAC,  then  we’re  not  spending  time  on 
Chinese  hackers?  Because  I  don’t  think  that 
the  statement  that  NAC  is  not  security  is 
really  defensible,  honestly 
Stiennon:  You  bet.  Most  of  the  CIOs  I  know 
not  only  have  no  extra  budget  this  year  but 
are  being  asked  to  reduce  their  spend. 
Snyder  Access  Control  is  one  of  the  funda¬ 
mental  things  we  do  for  security 
Stiennon:  We  better  get  into  our  definitions; 

I  have  NO  PROBLEM  with 
user  access  control.  1  have 
LOTS  of  problems  with  end¬ 
point  access  control. 

Snyder  You’re  implying  that 
NAC  is  a  net  cost.  I  believe 
that  it  can  be  a  net  savings. 
Stiennon:  I  believe  NAC  is  a 
net  cost  and  something  that 
reduces  value  of  the  net¬ 
work  to  the  enterprise.  I 
agree  that  it  is  turning  into  a  religion, 
which  makes  me  an  atheist.  I  was  configur¬ 
ing  RADIUS  14  years  ago.  It  is  needed  and 
works. 

Snyder  RADIUS  doesn’t  mean  we  know 
who’s  on  the  other  end  of  a  hole  in  the 
wall.  Everyone  knows  that  a  new  technolo¬ 
gy  has  a  pain  and  a  benefit/pleasure.  If  the 
pain  is  greater  than  the  benefit,  then  it 
won’t  be  absorbed.  It’s  that  simple.  NAC  lets 
us  bring  together  a  bunch  of  disparate 
pieces  (802.  IX,  user-focused  policy,  end¬ 
point  security,  I DS/N BAD)  and  integrate 
them. That’s  what  was  missing. That’s  why 
NAC  is  interesting.That’s  why  people  are 
excited. 

phreno:  Richard:  Some  NAC  products 
offer  behavioral  policy  enforcement  I 
get  identity,  endpoint  checks,  and 
behavioral  policy  enforcement  that  stop 
botnets,  DDoS  attacks,  etc.,  that  do  find 
a  way  onto  the  network.  What  other 
technology  offers  that? 

Stiennon:  Great  question. This  is  where 
the  IPS/AV  industry  is  heading.  Allow  an 
infected  endpoint  to  connect,  but  do  not 
allow  it  to  harm  me.  Filter  out  attacks  at 
the  edge. The  capability  you  refer  to  in 
some  “NAC  solutions”  is  what  they  call 
post  admission  control. That  is  good  but 
the  action  should  be  to  drop  packets,  not 
end  point  connections.  ■ 


12  •  JULY  28,  2008  •  www.networkworld.com 


NEWS  ANALYSIS 


VPNs:  Six  burning  questions 

Which  type  of  VPN  should  you  be  using?  Should  you  build  your  own  VPN? 


BY  TIM  GREENE 

VPNs  are  well  established  as  essential  tools 
for  corporate  communications,  but  they  are 
not  all  created  equal.  Here  are  six  questions 
and  their  answers  that  can  help  you  make 
decisions  about  which  VPN  technology  to  use. 

1.  Are  Multi-protocol  Label  Switching 
(MPLS)  VPNs  the  way  to  go? 

For  many  corporate  network  needs  the 
answer  is  yes,  and  the  transition  to  MPLS  is 
well  underway. 

MPLS  VPNs  have  been  eating 
away  at  frame  relay  for  years,  and 
within  the  next  18  months  there 
will  be  more  MPLS  VPN  connec¬ 
tions  than  frame  relay  connec¬ 
tions  in  the  United  States,  accord¬ 
ing  to  Vertical  Systems  Group.  By 
2011,  there  will  be  more  than  1 
million  MPLS  VPN  connections  in 
the  United  States, Vertical  says. 

That  means  that  businesses  —  in  many  cases 
prompted  by  their  service  providers  —  are 
buying  MPLS  connections  as  their  connectivi¬ 
ty  needs  expand  and  they  have  to  connect 
new  sites.  But  even  more  of  them  are  migrating 
from  frame  relay  altogether  as  the  providers 
themselves  make  the  transition  to  MPLS,  says 
Rosemary  Cochran,  an  analyst  with  Vertical. 
The  number  of  frame  relay  connections  in  use 
is  actually  declining. 

Worldwide,  MPLS  services  reaped  $13  billion 
last  year,  a  growth  of  20%  in  revenues,  accord¬ 
ing  to  Infonetics. 

The  reasons  are  many  MPLS  VPN  services 
offer  fully  meshed  networks  as  a  matter  of 
course;  any  site  connects  to  any  other  site.  To 
do  the  same  with  frame  relay  means  expen¬ 
sive  virtual  circuits  laid  out  between  every  site 
and  every  other  site.  MPLS  lets  customers  shed 
complexity  and  cost. 

MPLS  also  supports  multiple  qualities  of  ser¬ 
vice  at  varying  prices  to  give  business  cus¬ 
tomers  options  to  buy  less-expensive  VPN  ser¬ 
vices  for  less-critical  traffic. 

Sprint  has  just  announced  it  is  installing  a 
40Gbps  optical  backbone  to  carry  its  increas¬ 
ing  load  of  IP  traffic  that  is  generated  by  MPLS 
services  and  Internet  traffic. 

2.  Will  MPLS  VPNs  save  me  money? 

Probably  not.  If  you  evenly  swap  MPLS  for 
frame  relay  the  costs  of  the  lines  may  drop, 
Cochran  says,  but  not  the  price  of  the  service 
in  aggregate.  “When  companies  make  that 
switch  the  overall  price  might  not  go  down  but 
the  ability  to  connect  to  more  sites  and  the 
flexibility  to  manage  the  network  may  go  up,” 
Cochran  says.  “We  do  not  see  tremendous 
price  declines  in  going  to  MPLS  from  frame, 
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simply  because  you’re  using  T-l  access  and 
then  you  start  adding  on  features  like  security 
and  management  and  voice.” 

T-l  access  costs  about  $435  per  month  in  the 
United  States,  according  to  Nemertes  Research, 
but  other  access  methods  can  cut  that  price  sig¬ 
nificantly  For  instance,  New  Edge  Networks 
offers  DSL  service  to  carrier  MPLS  backbone 
networks  that  support  five  qualities  of  service 
and  business-class  service-level  agreements  for 
about  $240  per  month.  Repair-time  guarantees 
and  symmetrical  bandwidth  are  more  readily 
available  with  T-l  services,  but  the 
price  difference  may  be  worth  the 
trade-off. 

“Companies  like  these  services 
because  they  offer  consider¬ 
ably  more  bandwidth  with  little 
or  no  increased  WAN  costs 
compared  to  their  legacy  coun¬ 
terparts  —  frame  relay  ATM,  pri¬ 
vate  lines,”  says  Michael  Howard,  principal 
analyst  with  Infonetics. 

That  is  prompting  customers  to  boost  the 
bandwidth  they  buy  for  their  MPLS  VPN  con¬ 
nections  above  the  T-l  speeds  that  are  typical¬ 
ly  the  top  size  for  frame  relay  connections. 

“The  demand  for  higher  speeds  is  going  up, 
and  that’s  a  function  of  availability  and  pric¬ 
ing,  depending  on  who  the  provider  is,” 
Cochran  says.  “Is  it  an  incumbent  that  is  cani- 
balizing  its  own  [frame  relay  base]  or  is  it  a 
competitive  provider  offering  lower-price 
access?” 

Hands-on  customers  stand  to  save  more  on 
monthly  bandwidth  costs  building  their  own 
MPLS  VPNs  and  shopping  around  for  the  best 
bandwidth  costs,  she  says.  “In  that  case 
because  you’re  not  limited  to  one  provider, 
you  can  shop  for  the  best  price  in  each  of  your 
locations  and  then  make  the  connections 
yourself  with  hardware  and  software  you 
own,”  Cochran  says. 

3.  Should  I  build  my  own  VPN? 

If  you  do, you  won’t  be  alone,  but  prepare  to 
spend  time  and  develop  expertise  in-house. 

According  to  Cochran,  more  WAN  connec¬ 
tions  are  made  over  build-your-own  VPNs  —  in 
which  businesses  buy  their  own  VPN  gear  and 
attach  it  to  WAN  connections  they  have  pur¬ 
chased  separately  —  than  are  made  over 
MPLS  VPN  services. 

This  can  range  from  installing  and  configur¬ 
ing  MPLS  gear  at  each  site  —  an  expensive 
proposition  —  or  using  site-to-site  IPSec  equip¬ 
ment  that  is  often  packaged  with  firewalls  and 
is  generally  less  expensive. 

The  trade-off  vs.  VPN  services  is  the  do-it- 
yourself  part.  Businesses  have  to  provide  the 
time  and  expertise  to  design,  install,  maintain 


and  troubleshoot  the  VPN,  says  Mark  Lewis,  a 
networking  design  consultant  and  blogger  for 
Network  World.  And  that  means  training. 
Without  it,  troubleshooting  VPNs  can  be  “ran¬ 
dom,  time  consuming,  and  will  often  not 
resolve  your  problem  at  all  —  it  might  even 
exacerbate  it,”  he  writes. 

4.  Should  I  use  IPSec  or  SSL  for  remote 
access  VPNs? 

SSL.  In  almost  all  cases,  SSL  VPNs  can  be  set 
up  to  deliver  the  same  access  that  IPSec  VPNs 
do.  And  SSL  offers  more  options. 

SSL  VPNs  offer  application-layer  secure 
access  over  the  Internet  using  capabilities 
common  to  most  browsers,  which  means  not 
having  to  distribute  and  maintain  client  soft¬ 
ware  on  remote  machines.  The  limitation  is 
that  browsers  access  only  Web-based  or 
Webified  applications. 

By  pushing  Java  or  Active  X  SSL  VPN  plug-ins 
to  the  remote  machines  on  the  fly  SSL  VPNs 
can  create  network-layer  connections  compa¬ 
rable  to  IPSec,  without  having  to  distribute 
dedicated  VPN  client  software. 

SSL  also  can  give  more-detailed  control  of 
the  resources  remote  users  have  access  to. 
Whereas  IPSec  gives  full  network  access,  SSL 
can  restrict  access  based  on  applications 
more  readily. 

If  access  to  Web  applications  or  Webified 
applications  is  all  users  need,  then  the  only 
client  software  required  is  a  compatible 
browser.  This  means  users  can  connect  from 
home  machines,  borrowed  machines  or  those 
found  in  business-center  kiosks. 

“SSL  VPNs  have  superseded  IPSec  as  the  eas¬ 
iest  choice  for  casual  and  ad  hoc  employee 
VPN  access  requests  and  for  business  part¬ 
ners,  external  maintenance  providers  and 
retired  associates,”  says  Gartner  analyst  John 
Girard.  While  the  sales  of  SSL  VPN  gear  grew 
43%  between  mid-2006  and  mid-2007  to  hit 
$340  million,  the  annual  growth  rate  is  expect¬ 
ed  to  slow  down,  resulting  in  a  projected  aver¬ 
age  annual  growth  rate  of  13.8%  through  2011. 

A  separate  study  by  IDC  finds  that  IPSec 
VPNs  accounted  for  more  than  half  the  $1.27 
billion  taken  in  with  VPN  appliance  sales  in 
2007,  but  IPSec’s  share  of  that  revenue 
dropped  as  a  percentage  by  9.8%,  IDC  says. 
Sales  of  SSL  VPNs  increased  18.2%  in  the  same 
time  period. 

Still,  customers  are  finding  use  for  IPSec 
remote  access  in  conjunction  with  SSL.  Sales 
of  Hybrid  SSL/IPSec  gear  are  lower,  but  grow¬ 
ing  faster,  than  SSL  or  IPSec  gear  alone,  IDC 
says. 

The  top-selling  VPN  appliance  vendors  in 
order  are  Cisco,  Juniper,  Nokia,  Safenet  and 

See  VPNs,  page  28 
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Big  Brother’s  new  software 

How  technology  is  enhancing  the  scope  of  video  surveillance 


A  closer  look  at  IBM's  Smart  Surveillance  System 

This  middleware  works  with  pre-existing  security  systems.  It  takes  videos 
sent  from  cameras  and  filters  them  for  analysis,  data  management  and  real¬ 
time  alerting. 
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BY  BRAD  REED 

Any  way  you  look  at  it,  video  surveillance  is 
becoming  more  sophisticated. 

A  recent  report  by  AB1  Research  projects  that 
revenue  generated  from  surveillance  software 
will  more  than  triple  from  $245  million  this 
year  to  $900  million-plus  in  2013.Technological 
breakthroughs  have  added  several  capabilities 
to  surveillance  cameras  in  recent  years,  from 
face-recognition  software  to  cameras  designed 
to  mesh  with  radio-frequency  identification 
tags.  And  the  advent  ofWi-Fi  has  made  it  possi¬ 
ble  to  place  wireless  cameras  just  about  any¬ 
where  while  still  being  able  to  send  footage 
back  to  a  central  location, says  Stan  Schatt,ABI 
vice  president  and  research  director. 

“More  and  more  governments  can  use  these 
cameras  outdoors  in  places  where  they  could¬ 
n’t  before,”  he  says.  “This  is  because  they  can 
use  Wi-Fi  to  send  signals  back  to  the  security 
department,  whereas  before  they  couldn’t  get 
cameras  properly  hooked  up  to  the  network.” 

IBM  has  become  a  prominent  player  in  the 
advanced  video  surveillance  market,  as  the 
company  in  recent  years  has  helped  Chicago 
roll  out  equipment  and  software  for  its 
Operation  Virtual  Shield  crime  detection  and 
prevention  program.  And  while  many  govern¬ 
ments  and  businesses  are  using  IBM  surveil¬ 
lance  systems  for  traditional  security  opera¬ 
tions,  IBM  physical  security  CTO  Arun  Hampa- 
pur  says  that  new  surveillance  technology  is 
opening  avenues  that  were  not  possible  10 
years  ago. 

“There’s  a  technology  called  video  analytics, 
which  is  basically  a  set  of  computer  algorithms 
designed  specifically  to  watch  objects  such  as 
license  plates  and  faces,”  he  says.“That  makes  it 
possible  to  use  surveillance  cameras  in  a  more 
proactive  way’ 

For  example,  Hampapur  says  a  camera  can 
be  programmed  to  watch  a  perimeter  around 
an  airport  where  people  are  not  allowed  to 
pass  through.  So  if  a  person  jumps  a  fence  or 
tries  to  access  the  area  without  being  autho¬ 
rized,  the  camera  will  detect  his  presence  and 
send  out  an  alert  to  the  security  department. 

Ed  Troha,  marketing  director  for  surveillance 
vendor  ObjectVideo,  says  his  company  has 
developed  techniques  for  analyzing  pixels  and 
groups  of  pixels  by  the  way  they  interact  with 
each  other  in  motion  video.  In  other  words,  the 
software  not  only  analyzes  still  pictures  but 
also  looks  at  how  different  objects  are  moving 
in  relation  to  each  other  in  real  time. 

“What  intelligent  video  endeavors  to  do  is  to 
detect,  track  and  classify  objects  within  the 
video,”  he  says.“So  intelligent  video  can  tell  you 
when  there’s  a  person  in  an  area  that  is 
designed  only  for  vehicles.  That’s  a  very  good 
application  of  intelligent  video,  and  there’s  a 


distinction  between  this  kind  of  technology 
and  technologies  such  as  facial  recognition 
software.  Those  technologies  analyze  pixels 
within  the  video  but  don’t  analyze  the  scene.” 

Hampapur  says  this  type  of  technology  has 
evolved  to  where  cameras  can  detect,  index 
and  catalog  the  movements  of  objects  and  cat¬ 
egorize  them  by  size,  color  and  shape.  Thus,  if 
police  are  looking  for  a  white  van  that  has  been 
used  in  a  series  of  robberies,  surveillance  cam¬ 
eras  will  be  able  to  spot  and  index  all  white 
vans  that  pass  through  their  line  of  vision  and 
send  that  data  back  to  the  police  department. 
Hampapur  notes,  however,  that  the  technology 
has  not  advanced  to  the  point  people  who 
have  outstanding  arrest  warrants  in  their 
names.  Face-recognition  software,  he  says,  still 
requires  active  compliance  from  the  individu¬ 
als  being  scanned  —  that  is,  people  trying  to 
enter  certain  areas  must  look  into  the  camera 
and  hold  their  faces  still  until  the  software  has 
a  chance  to  scan  and  authorize  access. 

While  many  think  of  surveillance  technology 
as  being  used  by  government  to  combat  crime 
and  terrorism,  retail  outlets  are  increasingly 
using  advanced  surveillance  technology  for 
both  theft  prevention  and  marketing.  As  sur¬ 
veillance  technology  increases  cameras’  ability 
to  analyze  scenes  and  count  moving  objects, 
Schatt  says  it  will  enable  stores  to  look  for  how 
many  people  spend  time  in  certain  areas  to 
determine  which  areas  are  prime  real  estate 
sections,  and  also  to  see  whether  sales  and  pro¬ 
motions  attract  customers. 

“One  big  reason  that  the  market  for  surveil¬ 


lance  software  is  growing  so  large  is  that  it  has 
a  lot  of  sales  and  marketing  implications,”  he 
says.  “I’ve  seen  technology  that  can  track  how 
people  in  a  store  look  at  a  display, that  will  track 
traffic  patterns  in  a  store.” 

Troha  says  surveillance  equipment  can  help 
stores  with  staffing  issues  by  providing  accu¬ 
rate  data  on  when  peak  hours  occur.  Similarly 
Hampapu  says,  the  cameras  can  detect  when 
there  are  several  people  standing  in  line  at  a 
certain  area  where  there  are  too  few  cashiers 
and  can  alert  management. 

“This  kind  of  security  infrastructure  can  actu¬ 
ally  make  money  for  businesses  rather  than 
just  prevent  losses,”  Troha  says.  “This  is  critical 
for  our  business  model,  because  if  we  can  use 
security  infrastructure  to  enable  enterprises  to 
derive  more  revenue,  then  there’s  a  lot  more 
traction  in  using  surveillance  analytics  to  gath¬ 
er  business  intelligence.” 

Indeed, Schatt  notes,  responsibility  for  main¬ 
taining  and  deploying  surveillance  systems  is 
increasingly  shifting  away  from  companies’ 
security  departments  and  over  to  IT.  And  as 
surveillance  capabilities  continue  to  grow, 
effective  systems  will  need  to  be  run  by  peo¬ 
ple  with  in-depth  knowledge  of  software 
capabilities. 

“Now  that  we’re  getting  more  digital  surveil¬ 
lance  equipment,  surveillance  is  starting  to 
move  into  purview  of  the  IT  department,” 
Schatt  says.  “This  is  interesting,  because  there 
has  traditionally  been  a  disconnect  between 
security  folks  and  IT  people, and  this  is  going  to 
help  break  that  down.”  ■ 
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WiMAX  WISPs  target  the  enterprise 

Wireless  broadband  beyond  Clearwire-Sprint’s  Xohm 


BY  JOHN  COX 

This  fall,  a  Massachusetts  wireless  ISP  will 
launch  its  first  WiMAX-based  services  aimed  at 
business  customers  in  the  eastern  part  of  the 
state.  The  move  by  Pipeline  Wireless  mirrors 
that  of  rival  Towerstream  in  the  same  market, 
and  by  other  similar  “WiMAX  WISPs”  across  the 
United  States. 

For  most  businesses,  their  first  introduction 
to  WiMAX  will  be  from  these  kinds  of  wireless 
broadband  providers,  and  not  from  the  likes  of 
Tier  1  or  Tier  2  operators  such  as  the  Clearwire- 
Sprint  partnership,  which  is  struggling  to 
unfold  Xohm,  a  nationwide  licensed  2.5GHz 
band  WiMAX  network  aimed  at  mobile  users. 
The  WiMAX  WISPs  are  using  a  range  of  other 
frequencies,  often  unlicensed,  to  deliver  all-IP 
voice  and  data  services  that  are  more  cost- 
effective,  more  responsive,  and  faster  to  deploy 
than  conventional  fiber  and  copper  services. 

Neither  they  nor  their  enterprise  customers 
have  to  struggle  with  the  current  incompatibil¬ 
ity  of  WiMAX  equipment.  WiMAX  WISPs  can 
use  the  same  radio  vendor  for  the  base  sta¬ 
tions  and  for  the  customer  premises  equip¬ 
ment  (CPE)  to  forge  a  high-quality  wireless 
connection  for  fixed  wireless  service.The  early 
mobile  WiMAX  deployments  will  face  the 
same  requirement,  unlike  Wi-Fi  clients  today 
that  generally  can  connect  to  any  brand  of  Wi¬ 
Fi  access  point. 

Intel’s  combined  Wi-Fi  and  WiMAX  module 
will  have  only  limited  release  this  year,  and 
Gartner  recently  warned  users  to  hold  off  on 
mobile  WiMAX  investments. 

And  more  opportunities  for  such  WISPs,  and 
for  the  WiMAX  equipment  vendors,  are  being 
created  as  the  FCC  releases  more  spectrum, 
both  licensed  and  unlicensed,  for  WiMAX  use. 
The  City  of  Marietta,  Ga.,  is  using  the  4.9GHz 
band,  and  Tyco  M/A  Corn’s  VIDA  fixed  WiMAX 
radios,  to  upload  real-time  video  streams  from 
anticrime  surveillance  cameras.  The  FCC’s 
release  last  year  of  the  3.65GHz-3.7GHz  band 
led  to  a  boomlet  of  approvals  to  WISPs  plan¬ 
ning  WiMAX  services:  233  as  of  April.  Pipeline 
and  Towerstream  were  both  beneficiaries. 

WiMAX  is  more  than  Xohm 

A  recent  report  from  Maravedis,  a  research 
company  that  focuses  on  wireless  broadband, 
concluded  that  WiMAX  offers  a  lot  of  U.S. 
opportunity  for  companies,  and  customers, 
outside  the  Xohm  orbit.  The  report  projects 
that  non-Sprint  WiMAX  subscribers  will 
exceed  10  million  by  2012,  up  from  500,000  in 
2007.  “A  fixed  and/or  portable  [sometimes 
called  ’nomadic’]  differentiation  play,  with  a 
strong  service  model,  integrated  back-office 
technologies  and  additional  services  is  a  pow¬ 
erful  enough  proposition  to  bring  to  market,” 


Evaluating  data  services 
from  the  WiMAX  WiSPs 

Questions  worth  asking  include: 

/  How  quickly  can  wireless  broadband 
services  be  delivered,  or  changed? 

/  How  responsive  is  the  vendor  to  your 
changing  network  requirements,  espe¬ 
cially  in  terms  of  scaling? 

/  What  are  the  service  level  agreement 
(SLA)  details? 

/  Are  there  adequate,  qualified  support 
technicians? 

/  How  does  the  provider  handle  remote 
management  of  base  stations  and  CPE 
gear? 

/  What  are  the  back-end  provisions  for 
disaster  recovery,  redundant  power, 
etc.? 

/  Depending  on  your  data  require¬ 
ments,  can  the  provider  demonstrate  a 
"telco-quality"  back-end  technical  and 
support  infrastructure? 

according  to  the  report. 

That’s  just  what  companies  like  Pipeline  and 
Towerstream  are  betting  on. 

Pipeline  customers  buy  a  range  of  Internet 
access  and  private  data  network  services,  says 
Chris  Hale,  CTO  for  Pipeline  Wireless.  To  date, 
like  many  similar  companies,  Pipeline  has 
used  proprietary  high-bandwidth  radio  prod¬ 
ucts,  in  this  case  Motorola’s  well-known 
Canopy  radios,  and  frequencies  in  the  5-GHz 
band,  to  deliver  enterprise  services  in  what 
Hale  calls  the  industry  sweet  spot:  data  ser¬ 
vices  up  to  50Mbps,  though  some  customers 
have  gigabit  connections. 

For  these  WiSPs,  there  are  two  big  payoffs 
with  WiMAX.  In  the  3.65GHz  band,  WiMAX 
offers  clean,  empty,  unlicensed  spectrum. 
Second,  it  lets  WiSPs  provision  multiple,  sepa¬ 
rate  services,  with  separate  QoS,  over  a  single 
radio  link  between  a  base  station  and  the  CPE, 
Hale  says.  “We  may  have  a  customer  with  a 
dedicated  megabit  [of  bandwidth]  for  10  con¬ 
current  voice  calls,  who  also  wants  3Mbps  for 
three  remote  sites,  at  1Mbps  each,  and  a  3Mbit 
Internet  pipe,”  he  says.“We  can  create  a  conver¬ 
gence  of  services  over  the  same  infrastructure.” 

Towerstream  is  making  a  similar  migration 
from  proprietary  to  WiMAX  radios.  The  com¬ 
pany  launched  its  WiMAX  trial  for  fixed  ser¬ 
vices  last  April  in  the  Dallas-Fort  Worth  area, 


using  radios  from  Alvarion.  One  service  offer¬ 
ing  is  the  8Mbps  data  service,  priced  at  $999. 
Like  Pipeline,  the  radio  equipment  supports 
the  mobile  WiMAX  standard  but  is  being  used 
to  deliver  fixed  services. 

“We’re  using  it  because  the  mobile  side  [of 
WiMAX]  will  have  much  more  scalability  says 
Jeff  Thompson,  Towerstream’s  CEO.  “That 
means  economies  of  scale,  which  means 
lower  end  prices,  which  is  what  it’s  all  about.” 

Other  benefits  of  the  mobile  WiMAX  gear  are 
better  performance  without  a  direct  line-of- 
sight  connection  between  the  radios  and  a 
“much  better  link  budget,”  which  translates 
into  a  very  reliable  signal  even  under  adverse 
conditions,  according  to  Thompson. 

Thompson  tried  out  the  compact,  indoor 
Alvarion  CPE  box.  “I  got  just  under  6Mbps  in 
each  direction,  about  2  miles  from  the  nearest 
base  station,’ ’he  says.“I  just  plugged  it  into  a  wall 
outlet  and  plugged  my  PC  into  it,”  he  says.This 
could  enable  a  whole  different  market  for 
Towerstream:  Today  we  have  to  do  a  truck  roll 
to  bring  up  customers,  which  is  very  expensive.” 

Neither  company  sounds  like  a  WiMAX  par¬ 
tisan. “To  be  very  frank,  it’s  not  about  the  tech- 
nologyfThompson  says.“You  can  make  money 
[as  a  provider]  with  pre-WiMAX  gear’’ 

Exploiting  the  WiMAX  niches 

Tyco  M/A  Com  is  more  enamored  of 
WiMAX’s  technical  benefits,  at  least  for  the 
4.9GHz  public  safety  band.  Unlike  802.11, 
which  is  a  contention-based  access  protocol, 
WiMAX  uses  a  scheduling  mechanism,  so 
applications  can  be  guaranteed  bandwidth, 
says  Greg  Henderson,  director  of  broadband 
technology  and  products,  for  Tyco  M/A  Com. 
That  makes  it  ideal  for  uploading  high-band¬ 
width  streaming  video  in  surveillance  and 
public  safety  applications,  or  for  mobile  com¬ 
mand  centers,  he  says.  And  WiMAX  is  more 
immune  to  denial-of-service  attacks,  which 
often  exploit  Wi-Fi’s  contention  mechanism, 
according  to  Henderson. 

In  May  Tyco  released  a  hardened,  high-power 
WiMAX  client  (a  CPE  box)  for  its  VIDA  product 
line.  Using  a  5MHz  channel,  the  new  client  has 
a  maximum  RF  power  output  of  27  dBM, 
which  is  the  maximum  allowed  by  the  FCC 
and  12  to  15  dBM  greater  than  rivals,  accord¬ 
ing  to  Henderson.  With  that  power,  equivalent 
to  about  1.2  watts  (most  Wi-Fi  clients  are  mea¬ 
sured  in  milliwatts),  the  client  can  support  1M 
to  19Mbps,  creating  a  powerful,  resilient  uplink 
to  the  base  station. 

Pipeline  Wireless  is  in  the  last  stages  of  pick¬ 
ing  its  WiMAX  vendor.  CTO  Hale  expects  the 
network  to  go  live  later  this  year,  not  long  after 
Clearwire-Sprint’s  scheduled  September 
launch  of  Xohm  in  Baltimore.  ■ 
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A  powerful  business  innovation  in  data  storage  is  now  within  your 
reach.  The  new  HP  StorageWorks  4400  Enterprise  Virtual  Array  is  here. 

It  virtualizes  up  to  96TB  of  storage— across  numerous  storage  servers  and 
platforms— simplifying  storage  management  and  speeding  access.  Less 
limitations.  More  freedom.  Technology  for  better  business  outcomes. 


Up  to  96TB  virtual  storage  capacity. 

•  Enterprise-class  performance 

•  Over  30%  better  capacity  utilization* 

•  Up  to  75%  less  time  needed  to 
configure  and  manage* 

•  Easy  application  integration 


Now's  the  time  for  virtual  storage. 
Visit  hp.com/go/virtualstorage9 
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Heart  of  a  champion? 

IBM/Lotus  offers  four  versions  of  Sametime  designed  for  companies  that 
need  anything  from  chat  to  full  unified  communications  capabilities. 


Version 

Description 

Target  audience 

Entry 

Secure  basic  chat  via  instant  messaging 
and  presence  information. 

Small  and  midsize 
businesses. 

Standard 

Integrated  IM  and  VoIP;  Web,  video  and 
audio  conferencing. 

Companies  with  need  for 
chat  and  conferencing. 

Advanced 

Adds  community  features,  persistent  chat 
and  broadcast  tools  to  feature  list  of 
standard  edition. 

Companies  integrating 
synchronous  communi¬ 
cation  and  social 
software. 

Unified Tflephony 

PBX  gateway  for  Sametime,  aggregates 
presence,  provides  call  routing  and  user 
configurable  contact  rules. 

Large  companies  with 
need  for  integrated  UC 
platform. 

Lotus 

continued  from  page  1 

is  developing  a  gateway  that  invites  telephony 
vendors  and  other  partners  into  its  UC  lineup, 
which  is  anchored  by  Sametime  and  includes 
the  Sametime  client,  Notes  messaging, 
Connections  social  software,  Quickr  document 
management  and  Lotus  Symphony  productivi¬ 
ty  applications. 

To  prove  its  commitment,  Steve  Mills,  the 
senior  vice  president  of  IBM’s  software  group, 
said  in  March  that  the  company  will  spend  $1 
billion  on  its  UC  strategy  over  the  next  three 
years. 

It  may  take  such  a  war  chest  to  overcome 
major  challenges.  IBM/Lotus  must  fight  mar¬ 
ket  dynamics  that  favor  Microsoft’s  platform 
centered  on  Office  Communications  Server 
(OCS),  clearly  define  its  feature  differences 
and  architectural  advantages,  and  penetrate 
companies  that  have  an  affinity  for  rival  soft¬ 
ware. 

Playing  from  behind 

That  penetration  is  sort  of  a  “do-over”  for 
IBM/Lotus. 

Sametime  is  10  years  old  and  once  was  the 
only  option  for  enterprise  IM  and  presence.  But 
IBM/Lotus  took  its  lead  for  granted  and  the 
platform  languished  between  2003  and  2005. 

When  Microsoft  began  detailing  and  devel¬ 
oping  what  was  to  become  OCS  2007,  IBM 
finally  flinched. 

“That  was  the  sound  of  ‘Jaws’  playing,”  says 
Mike  Gotta,  an  analyst  with  the  Burton  Group, 
referring  to  the  music  in  the  1975  movie  that 
signaled  impending  doom  perpetrated  by  a 
great  white  shark  hungry  for  unsuspecting 
swimmers.  In  January  2007,  IBM/Lotus 
announced  its  UC2  (pronounced  UC  squared) 
strategy  around  Sametime  to  signal  it  was 
again  ready  to  play 

Before  year-end,  IBM/Lotus  will  ship  what  will 
become  its  UC  centerpiece. 

Sametime  Unified  Telephony  (SUT)  server, 
unveiled  in  January  will  introduce  an  architec¬ 
ture  built  around  two  servers  that  form  a  single 
data-center  integration  point  between  the 
IBM/Lotus  environment  and  the  telephony 
world. 

SUT’s  Telephony  Control  Server  provides  con¬ 
nections  to  PBX  systems  via  Session  Initiation 
Protocol,  and  eventually  in  Version  2.0, 
Computer-Supported  Telephony  Application 
Interfaces.  Partners  include  Alcatel-Lucent, 
Avaya,  Cisco,  Nortel  and  Siemens. 

The  Telephony  Application  server  provides 
an  aggregation  point  for  presence  data  and 
APIs  for  developers  building  UC-enabled  appli- 
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cations. 

The  platform  will  let  users  receive  calls  via 
softphones,  and  set  up  contact  and  routing 
rules. 

Partners  previously  suffered  with  many  point- 
to-point  integrations,  but  with  SUT  the  integra¬ 
tion  point  is  down  to  one. 

“SUT  is  the  perfect  boundary  Gotta  says.  “On 
one  side  all  the  vendors  connect  and  on  the 
other  side  IBM  connects”  all  its  software. 

Adding  the  topping 

At  the  same  time,  IBM/Lotus  is  spinning  pres¬ 
ence,  social  networking,  business  workflow 
and  collaboration  into  a  story  of  increased 
productivity  on  the  back  of  UC. 

IBM/Lotus  is  pointing  at  Sametime’s  scalable 
and  reliable  presence  capabilities  that  will 
help  users  find  one  another  based  on  attribut¬ 
es  such  as  expertise,  authority  or  location. 

The  next  step  is  tapping  the  Lotus  Notes 
pedigree  around  Notes  (e-mail/collaboration) 
and  Sametime  (Web  conferencing)  to  facili¬ 
tate  sharing  and  communication.  New  to  the 
mix  is  support  for  social  networking  (Lotus 
Connections),  productivity  applications 
(Lotus  Symphony)  and  document  sharing 
(Quickr)  on  top  of  current  integrations  with 
Microsoft  Outlook  and  Office. 

The  final  slice  is  the  client  side  where 
IBM/Lotus  wants  to  tap  Web  2.0  interfaces  to 
expose  UC  services. 

“We  are  investing  a  lot  of  time  and  money  to 
enhance  our  capabilities  in  this  area,”  says 
Bruce  Morse,  vice  president  of  UC  software  for 
IBM/Lotus.  “We  have  the  rich  client  [Same¬ 
time]  nailed  down,  we  are  making  more  in¬ 
vestments  in  technologies  like  AJAX  and  Web 
services  approaches.” 

Morse  says  the  next  version  of  Sametime, 
due  in  2009,  will  include  capabilities  built  into 
the  server  that  support  AJAX  browser-based 
client-type  access  to  UC  services  using  light¬ 
weight  REST  Web  services  in  favor  of  bulkier 
Simple  Object  Access  Protocol-based  proto¬ 
cols. 


In  addition  to  its  own  software,  IBM  is  part¬ 
nering  with  vendors  such  as  VBrink  to  deliver 
streaming  video  and  Forterra  Systems  to  bring 
UC  to  virtual  worlds. 

Pulling  it  all  together 

Analysts  so  far  are  lauding  the  efforts. 

“They  have  very  good  products,”  says  Irwin 
Lazar,  an  analyst  with  Nemertes  Research. 
“Look  at  what  they  are  doing  with  Con¬ 
nections.  Look  at  what  they  are  doing  with 
Quickr.  It  is  extremely  extensible  and  gives  or¬ 
ganizations  a  lot  of  opportunity  to  customize 
applications,  to  build  new  functionality  and  to 
build  mashup  applications.  It’s  far  more  than 
what  users  get  out  of  Microsoft.” 

But  there  is  still  work  to  be  done  as  the  UC 
battle  heats  up  on  the  vendor  side  and  users 
wrestle  with  project  goals  and  budgets. 

Lazar  says  IBM/Lotus  has  to  show  enough 
added  capabilities  and  differences  vs.  Micro¬ 
soft  to  get  IT’s  ear. 

“They  are  struggling  with  that,” he  says.There 
is  still  some  lack  of  awareness  of  IBM’s  offer¬ 
ings  and  what  they  can  do.” 

Burton’s  Gotta  says  Morse  and  his  leadership 
team  are  the  best  among  the  Lotus  product 
groups,  but  he  wants  to  see  examples  of 
Sametime  sales  into  Microsoft  shops  since  the 
release  of  OCS  2007. 

He  says  the  company  needs  to  clearly  differ¬ 
entiate  Sametime  Unyte  hosted  conferencing 
services  and  Sametime  on-premises  confer¬ 
encing  and  flesh  out  its  hosted  business  appli¬ 
cation  services  code-named  Bluehouse. 

IBM/Lotus’  Morse  says  one-third  of  new 
Sametime  customers  last  year  were  Microsoft 
Exchange  shops  that  did  not  have  Notes 
installed. 

“A  key  part  of  the  strategy  is  to  get  into  those 
shops,”  he  says.  “Customers  that  choose  Same¬ 
time  over  OCS  choose  it  based  on  the  ability 
to  integrate  with  what  they  have  invested  in  as 
far  as  telephony  because  it  has  been  on  the 
market  for  10  years,  it  scales  and  they  feel 
more  secure.”  ■ 
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Solving  Virtualization’s  Pitfalls 

Keeping  Performance  and  Reliability  on  Your  Virtual  Machines 


irtualization  has  enormous 
potential  to  save  companies 
money,  time  and  space. 
However,  like  any  innovation, 
there  are  bound  to  be  a  few  snags 
and  snares  that  prevent  you 
from  maintaining  optimum 
performance  and  reliability. 

While  virtualization  promises 
efficiencies,  it  hardly  guarantees 
performance.  The  anticipated 
evolution  to  large  scale  virtual¬ 
ization  can  only  be  made  effective 
by  understanding  and  seamlessly 
integrating  this  technology  into 
the  network.  Success  also  hinges 
on  the  resolution  of  any  reliability- 
threatening  problems,  like  fragmentation, 
that  will  spring  up. 

Fragmentation  101 

Fragmentation  is  a  performance¬ 
crippling  phenomenon.  And,  if  left 
unchecked,  it  can  lead  to  hangs,  bottle¬ 
necks,  freezes,  crashes  and  total  system 
failures. 

Disk  fragmentation  occurs  when 
individual  files  are  not  stored  in  contig¬ 
uous  segments.  To  fit  space  restrictions, 
files  are  broken  up  and  scattered  around 
the  hard  disk.  So  the  file  system,  whether 
in  a  virtual  machine  or  not,  has  to  gen¬ 
erate  more  I/Os  to  address  the  excessive 
file  fragments. 

Pinpointing  the  Problem 

Without  a  doubt,  the  more  I/Os 
generated  (and  multiple  virtual  ma¬ 
chines  only  exacerbate  this),  the  more 
throughput  you’ll  need  to  account  for 
in  storage  subsystems.  Even  with  ex¬ 
pansive,  fully  optimized  SAN  or  RAID 
implementations  underlying  those 
virtual  machines,  poor  disk  perfor¬ 
mance  is  still  regularly  traced  back  to 
fragmentation. 

Virtualization  pundits  have  been 
cautioning  for  some  time  about  the 
major  performance  hit  a  host  operat¬ 
ing  system  takes  from  fragmentation. 


Fragmentation’s  side  effects  include  I/O 
bottlenecks  and  the  inefficient  use  of 
resources.  These  are  two  major  pitfalls 
along  the  path  towards  virtualization. 
They  limit  the  performance  and  reli¬ 
ability  of  virtual  machines.  And  server 
virtualization  actually  compounds  frag¬ 
mentation.  A  fragmented  virtual  disk, 
in  the  same  storage  system  as  another 
fragmented  virtual  disk  all  on  top  of  a 
fragmented  logical  disk,  significantly 
increases  the  amount  and  severity 
of  fragmentation’s  symptoms  for  the 
entire  architecture. 

A  misguided  and  somewhat  instinctual 
response  to  fragmentation  is  to  add 
more  and  more  hardware  (more  hard 
drives,  faster  controllers)  to  fight  off 
its  effects.  But  this  only  mitigates  the 
problem,  and  never  solves  it. 


Solving  Fragmentation 

New  Diskeeper®  2008  with 
InvisiTasking®  technology  au¬ 
tomatically  solves  fragmenta¬ 
tion  in  real  time  with  absolutely 
zero  overhead.  Management  and 
downtime  are  things  of  the  past. 
The  breakthrough  of  InvisiTasking 
allows  for  defragmentation  to  be 
a  completely  transparent  back¬ 
ground  process.  Only  untapped 
resources  are  used,  so  applica¬ 
tions  are  never  interrupted. 
Having  Diskeeper  running  on 
your  virtual  machines  eliminates 
I/O  bottlenecks  and  ensures  resources 
are  used  more  efficiently. 

Combining  virtualization’s  economical 
resource  use  with  Diskeeper’s  trans¬ 
parent  system  enhancements  leads  to 
maximum  productivity.  Diskeeper  will 
purge  your  system  of  performance¬ 
wrecking  fragmentation.  Your  systems, 
virtualized  or  not,  will  run  with  un¬ 
paralleled  performance  and  superior 
resource  efficiency. 

The  move  to  virtualization  saves 
money  and  strategically  allocates  re¬ 
sources.  Putting  Diskeeper  2008  on 
your  volumes  is  vital  for  a  problem-free 
virtual  infrastructure. 

See  for  yourself,  download  and  try 
Diskeeper  2008  free  for  45  days  at 
www.diskeeper.com/nwv. 

Note:  Special  45-day  trialware  is  only 
available  at  www.diskeeper.com/nwv. 


SPECIAL  OFFER 


Maximizing  Performance  and  Reliability — Automatically ~ 

Download  free  trial  at  WWW.diskeeper.COm/nwV 

(Special  45-day  trialware  only  available  at  the  address  above) 

Request  a  quote  at  www.diskeeper.com/nwvquote  or  call  800-829-6468,  promo  code  4114  to 
talk  to  a  live  representative  now!  Volume  License,  Government  and  Educational  deals  are  available. 


with  InvisiTasking • 

Diskeeper  2008 
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No  excuses  —  encrypt  all  laptops 


Every  year,  more  than  5,000  laptops  are  lost 
in  taxis  in  London,  New  York,  Chicago  and 
other  large  cities.  According  to  our  re¬ 
search,  in  2008  companies’  topmost  security 
investment  was  laptop  encryption.  Laptop  hard 
drives  are  getting  bigger  and  now  can  hold 
hundreds  of  thousand  to  hundreds  of  millions 
of  sensitive  records. 

As  a  CSO,  one  of  your  top  priorities  is  proba¬ 
bly  to  keep  your  company  off  the  front  page  of 
the  newspaper.  Is  it  inexcusable  to  have  laptops 
in  the  field  with  unencrypted  hard  drives?  With 
such  new  open  source  solutions  asTrueCrypt, 
there  are  few  excuses  left:  All  laptops  must  be  fully  encrypted. 

Encryption  technology  is  easy,  but  encryption  solutions  are  hard.  Key 
management  and  recovery  make  it  difficult  to  manage  large-scale 
encryption.  Even  low-cost  encryption  software  for  laptops  can  add  up 
quite  quickly  if  you  deploy  it  on  all  laptops.  Even  if  you  can  afford  the 
cost  of  the  software,  however,  you  have  to  look  at  the  complexity  of 
the  whole  solutions. 

TrueCrypt,  an  open  source  encryption  solution  now  offers  cross-plat- 
form  (Windows,  Mac,  Linux),  whole-disk  encryption  that  is  surprisingly 
easy  to  deploy  and  use.  The  software  is  slick,  both  in  the  initial  installa¬ 
tion  and  disk  encryption  and  in  its  daily  use.  It’s  unobtrusive,  has  no 
noticeable  impact  on  performance  and  requires  almost  no  user  train¬ 
ing.  Furthermore,  it  is  free  to  use  and  free  to  modify  Even  the  smallest 


companies  now  have  few  excuses  for  not  deploying  whole-drive  lap¬ 
top  encryption. 

As  with  any  offering,  the  challenge  is  recovery  from  a  disk  failure  or 
password  loss.TrueCrypt  will  create  rescue  CDs  that  can  be  used  to 
recover  from  corrupted  data  and  boot  blocks.  In  addition,  the  rescue 
CD  can  be  protected  with  a  master  administrator  pass-phrase  that  is 
independent  from  the  user  pass-phrase.  So,  users  can  change  pass¬ 
words  and  administrators  can  still  recover  disks  without  knowing  the 
user  pass-phrase.  Rescue  CDs  can  be  carried  by  users  (you  still  need 
the  pass-phrase  to  use  the  rescue  CD)  and  also  stored  in  a  central 
location  (a  fireproof,  locked  safe). 

Although  data  can  be  salvaged  from  an  unencrypted  drive  even 
after  heavy  corruption,  encrypted  disks  can  become  irrevocably  cor¬ 
rupted.  I  would  recommend  combining  TrueCrypt  with  a  good  back¬ 
up  solution,  preferably  an  online  (over-the-network)  backup  solution 
so  as  to  be  protected  from  data  loss. 

For  those  not  moving  to  Windows  Vista  (which  has  built-in  whole- 
disk  encryption), TrueCrypt  offers  a  cost-effective,  efficient  and  very 
secure  solution.  Encryption  provides  not  only  the  most  cost-effective 
“data  leak”  protection  but  also  a  safe  haven  from  breach  disclosure. 
No  more  excuses:  If  you’re  not  encrypting  laptops,  you  are  not  apply¬ 
ing  due  diligence. 

Antonopoulos  is  a  senior  vice  president  and  founding  partner  at 
Nemertes  Research,  an  independent  technology  research  firm.  He  can 
be  reached  at  andreas@nemertes.com 
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Open  source  software  a  security  risk 

‘Go  into  this  with  your  eyes  wide  open,’  says  former  White  House  official 


BY  ELLEN  MESSMER 

Open  source  software  is  a  significant  security 
risk  for  corporations  that  use  it,  because  in 
many  cases  the  open  source  community  fails 
to  adhere  to  minimal  security  best  practices, 
according  a  study  released  last  week. 

The  study  carried  out  by  Fortify  Software  with 
help  from  consultant  Larry  Suto,  evaluated  1 1 
open  source  software  packages  and  each 
community’s  response  to  security  issues  over 
about  three  months.The  goal  was  to  find  out  if 
the  community  for  each  open  source  software 
package  was  responsive  to  security  questions 
or  vulnerability  findings,  published  security 
guidelines  and  maintained  a  secure  develop¬ 
ment  process,  for  example. 

Open  source  application  server  Tomcat 
scored  the  best  in  the  study  titled“Open  Source 
Study  —  How  Are  Open  Source  Development 
Communities  Embracing  Security  Best 
Practices?” 

The  remaining  10  open  source  application, 
tool  and  database  packages  —  Derby,  Geron- 
imo,  Hibernate,  Hipergate,  JBoss,  Jonas, 
OFBiz,  OpenCMS,  Resin  and  Struts  —  had  a 
dismal  showing.  Among  these  10  packages, 
application  server  JBoss  scored  highest  by 
providing  a  prominent  link  to  security  infor¬ 
mation  on  its  Web  site  and  easy  access  to 
security  experts,  but  came  up  short  for  not 
having  a  specific  e-mail  alias  for  submission 
of  security  vulnerabilities. 

“You  don’t  want  to  report  bugs  to  a  general 
mailing  list  because  it  would  go  to  the  general 


public,”  says  Jacob  West,  manager  of  Fortify’s 
security  research  group.  There  needs  to  be  a 
measure  of  confidentiality  in  reporting  bugs  so 
that  the  fix  for  them  can  be  provided  when  the 
public  is  notified,  so  attackers  don’t  get  early 
information  they  can  exploit. 

But  too  often  the  open  source  communities 
that  offer  their  software  for  free  don’t  appear  to 
be  as  mindful  about  security  practices  as  their 
commercial  counterparts,  which  charge  for 
software  and  support,  West  says. 

Fortify  identified  22,826  cross-site  scripting 
and  15,612  SQL  injection  issues  associated 
with  multiple  versions  of  the  1 1  open  source 
software  packages  examined. 

But  when  Fortify  tried  to  reach  out  to  the 
open  source  software  communities,  with  the 
primary  point  of  contact  a  Web  site  and  a 
general  e-mail  address, the  security  firm  found 
that  “in  two-thirds  of  these  cases, you  didn’t  get 
a  response  at  all,”  West  says.  “There  are  no 
phone  numbers.  Who  do  you  go  to  ask  for 
information?  It’s  kind  of  hard  to  tell  who  these 
people  are.” 

The  report  notes,  “Open  source  packages 
often  claim  enterprise-class  capabilities  but  are 
not  adopting  —  or  even  considering  —  indus¬ 
try  best  practices.  Only  a  few  open  source 
development  teams  are  moving  in  the  right 
direction.” 

West  says  Fortify  did  not  conduct  this  study 
in  order  to  condemn  open  source  software, 
but  rather  to  point  out  that  the  security  prac¬ 
tices  need  to  improve  because  open  source 


adoption  by  enterprises  and  governments  is 
growing. 

Howard  Schmidt,  former  White  House  cyber¬ 
security  czar  who’s  now  a  consultant  and  also 
a  board  member  at  Fortify  says  the  study  shows 
that  when  it  comes  to  business  adoption  of 
open  source  software, “You’ve  got  to  go  into  this 
with  your  eyes  wide  open.” 

The  reality  is  that  while  open  source  software 
may  appear  more  cost-effective  and  just  as 
functional  as  commercial  software  in  some 
instances,  the  question  of  maintenance  must 
be  examined  very  carefully 
“Who  do  you  reach  out  to?”  Schmidt  asks. 
“What  about  the  thousands  of  companies  out 
there  running  Geronimo?  And  what  about  your 
supply-chain  partners?” 

The  bottom  line  is  that  corporations  may  find 
they  have  to  undertake  remediation  of  open 
source  packages  on  their  own. “You  are  effec¬ 
tively  on  your  own,  absent  your  having  an 
arrangement  ahead  of  time,”  Schmidt  says. 

Government  agencies  and  corporations  need 
to  decide  if  they’re  going  to  try  to  mitigate  prob¬ 
lems  with  open  source  software  themselves, 
through  risk  assessment  and  code  review,  and 
whether  they  plan  to  give  that  information  back 
to  the  open  source  community 
This  is  a  fundamental  question  about  the  life- 
cycle  development  of  the  software,  West  says, 
adding  that  the  study  indicated  to  Fortify  that 
the  open  source  communities  in  these  cases 
tended  not  to  correct  for  identified  flaws  in 
software  versions  over  a  period  of  time.  ■ 
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STUFF 


HAPPENS. 


No  matter  where  you  are 
or  what  you’re  doing,  something  or 
someone  can  compromise  your  DNS. 
Be  the  first  to  know  about  your  domain 
or  email  problem,  especially  when 
your  business  depends  on  it. 

■1  DNSstuff.com 


Alert  services  that  work  for  you 
24/7/365 

DNSalerts  (domain  monitoring) 
RBLalerts  (email  blacklist  monitoring) 

■  Put  our  alerts  to  the  test  -  FREE! 
Select:  Promo  Pack  |  Alert  Combo  2  month 
Coupon  code:  NWWALERT 
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It  project  mgmt  yields  savings 

HP’s  updated  software  shows  where  IT  staff  spend  its  time 


BY  DENISE  DUBIE 

Constellation  Energy  invested  in  project  and 
portfolio  management  software  from  HP  in 
part  to  comply  with  requirements  laid  out  in 
the  Sarbanes-Oxley  Act.  In  addition  to  achiev¬ 
ing  compliance,  the  integrated  energy  com¬ 
pany  reduced  repetitive  processes  and  is  sav¬ 
ing  nearly  $1  million  annually. 

“We  were  able  to  implement  a  standard 
change-management  approach  and  platform 
across  the  entire  IT  landscape,  which  drove 
our  biggest  tangible  ROI,”says  Jeff  Johnson, 
vice  president  of  infrastructure  at  Constella¬ 
tion  Energy  in  Baltimore.  “We  didn’t  need  to 
test  each  process  for  every  change,  and  we  got 
huge  savings  when  it  came  to  the  cost  associ¬ 
ated  with  audits.” 

The  Sarbanes-Oxley  legislation  was  just  one 
of  three  reasons  Constellation  Energy  imple¬ 
mented  HP  Project  and  Portfolio  Management 
(PPM)  Center.  To  start,  Johnson  says  his  group 
needs  to  apply  more  “rigor”  to  the  project- 
management  process  and  implementing  soft¬ 
ware  designed  to  ensure  IT  projects  meet  pre¬ 
set  milestones  (or  provide  insight  as  to  why 
the  group  may  have  missed  deadlines) 
seemed  a  logical  starting  point. 

“We  wanted  to  apply  more  realistic  scope  to 
the  projects  and  achieve  higher  success  rates 
with  projects  that  complete  on  time  and  on 
budget,”  he  explains. 

Constellation  Energy  also  wanted  to  more 
closely  align  IT  efforts  with  business  goals.That 
may  sound  like  lip  service,  but  Johnson  says  his 
team  needed  to  know  the  projects  IT  focused 
on  were  “driving  business  value.” 

As  a  former  Mercury  Interactive  customer 
and  now  an  established  HP  user,  Johnson  now 
wants  to  see  the  project-management  data  in¬ 
tegrated  directly  into  quality  testing  and  IT  ser¬ 
vice-management  products  his  company  also 
purchases  from  HP 

“We  want  a  one-stop-shop  view  of  all  major 
IT  activities.  We  have  a  service  desk,  a  service 
catalog  and  project  management  —  we  want 
to  see  all  the  demands  on  IT  in  one  place,”  he 
explains. 

Customers  such  as  Constellation  Energy 
drove  updates  to  HP’s  PPM  Center  7.5,  accord¬ 
ing  to  Ken  Cheney,  HP  Software’s  director  of 
product  marketing.  The  company  added  inte¬ 
gration  between  its  project-management  soft¬ 
ware  and  HP  Service  Management  Center,  for 
instance, which  would  show  IT  managers  how 
resources  assigned  to  specific  projects  were 
pulled  off  those  duties  to  address  a  customer¬ 
facing  application  performance  problem. 

“IT  managers  can  see  via  these  integrations 
what  impact  a  business  change  might  have 
downstream  to  the  IT  environment,  and  pro¬ 
ject  teams  can  get  visibility  into  the  applica- 


Pinning  down  project  pitfalls 

HP  Project  and  Portfolio  Management  (PPM)  Center  7.5  now  integrates  with 
quality  testing,  application  life  cycle  and  IT  service  management  software 
from  the  vendor,  providing  customers  with  multiple  views  into  the  status  of  IT 
projects  and  the  resources  being  used. 

Details  such  as  project  owners  and  testing  status  can  be  quickly 
assessed  from  the  PPM  Center  7.5  user  interface  when  integrated 
with  HP  Center  Management  for  Quality  Center. 
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Project  owners  can  determine  how 
many  open  IT  tickets,  or  defects  in 
the  project,  remain  unfinished  and 
track  progress  overtime. 


IT  managers  can  determine  the 
priority  of  unresolved  defects  and 
reassess  a  likely  project  close  date. 


tion  or  service  life-cycle  to  better  understand 
how  resources  are  used,”  Cheney  explains. 

Announced  this  week,  PPM  Center  7.5  can 
be  installed  on  a  dedicated  server,  or  cus¬ 
tomers  may  choose  to  license  the  product 
using  HP’s  software-as-a-service  model.  The 
application  features  a  Web-based  interface 


and  requires  no  client  software  be  installed. 
HP  included  features  that  enable  IT  staff  from 
project  managers  to  help  desk  technicians  to 
the  CIO  to  create  role-based  interfaces  that 
show  them  the  data  they  need  to  address  their 
questions  or  complete  their  assigned  tasks. 

PPM  Center  7.5  pricing  starts  at  $30,000.  ■ 
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HOW  ABOUT  GENEROUS  TOO? 


Start  with  paying  up  to  30%  less  for  your  color  printing.  Then  add 
in  getting  color  accents  for  the  price  of  a  black-and-white  page. 

The  HP  CM8060  MFP  with  Edgeline  Technology  doesn't  stop  there:  it  also 
prints  and  copies  50  color  pages  a  minute,  so  your  organization  can 
be  even  more  productive.  That's  alternative  thinking  about  printing. 


SCO  Group:  Its  future  is  all  used  up 


The  SCO  Group  got  bad  news  in  court  last 
week.  Not  an  unusual  event  for  this  com¬ 
pany  but  I  wish  the  need  for  such  events 
would  finally  go  away  for  good. 

I’ve  now  been  writing  about  SCO  for  five 
years  —  how  time  does  fly  when  you  have 
something  to  despise.  In  my  first  column  about 
SCO’s  decision  go  into  the  lawsuit  business 
rather  than  doing  all  the  hard  work  of  making 
a  product  that  someone  might  want  to  buy  I 
thought  that  someone  would  just  buy  the  slime 
off.  1  was  wrong  —  maybe  there  is  some  truth 
to  the  punch  line  of  the  old  joke  that  “there  are  just  some  things  a 
lawyer  won’t  do.”  I  guess  IBM’s  lawyers  could  not  stomach  the  idea  of 
rewarding  such  repulsive  behavior. 

Just  to  be  clear,  it  is  not  inherently  repulsive  to  sue  for  intellectual 
property  infringement. There  are  perfectly  legitimate  cases  where 
businesses  find  out  that  someone  else  is  using  technology  that  they 
have  patents  or  copyrights  on. Things  get  uglier  when  the  group 
suing  is  not  trying  to  do  anything  with  the  technology  other  than 
sue.  But  what  SCO  tried  to  do  is  indeed  repulsive  —  not  the  part 
about  suing  IBM  for  lots  of  money  but  the  part  about  attempting  to 
wipe  out  open  source  software  for  a  buck.  Claiming  that  anyone 
using  Linux  was  violating  SCO’s  copyright  and  not  saying  what  the 
violations  were  so  they  could  be  corrected  (in  the  end,  SCO  puked 
up  a  hairball  of  accusations  that  would  not  choke  a  mouse)  —  that 
was  repulsive. 

The  latest  news  on  SCO  was  generally  predictable  from  the  last 
court  decision  that  said  SCO’s  basic  underpinning  of  its  suit  against 


IBM  (and  charge  against  Linux)  was  faulty:  SCO  did  not  own  the  copy¬ 
rights  it  was  suing  over. 

The  same  judge  has  now  ruled  that  SCO  owes  Novell  $2.5  million 
for  some  software  licenses. 

SCO  is  already  in  bankruptcy  but  its  leadership  (if  that’s  the  right 
term)  is  still  dreaming  of  reaping  big  bucks  though  the  court  system 
(see  Groklaw’s  detailed  and  careful  coverage  of  this  sordid  tale  for 
much  more  information.)  Maybe  it  is  those  dreams  of  undeserved, 
and  now  unlikely  riches  that  keep  SCO  going,  but  I  sure  wish  it  would 
just  finish  fading  away 

When  I  read  Groklaw’s  report  on  the  latest  court  decision  1  was 
reminded  of  a  scene  from  the  movie  “A  Touch  of  Evil."  (If  you  have  not 
seen  it,  this  is  perhaps  the  best  film-noir  crime  movie,  assuming  you 
see  the  1998  recut  version.)  Yes,  the  movie  title  is  more  than  a  bit 
appropriate  for  SCO,  but  the  scene  that  came  to  mind  is  the  one  in 
which  Orson  Welles  walks  into  a  brothel  and  asks  Marlene  Dietrich  to 
read  his  future: 

Welles:  Read  my  future  for  me. 

Dietrich:You  haven’t  got  any 

Welles:  Hmmm?  What  do  you  mean? 

Dietrich:Your  future’s  all  used  up. 

SCO’s  future  is  all  used  up,  too. When  will  the  company  finally  realize 
this  and  stop  being  a  news  topic? 

Disclaimer:  Considering  Harvard’s  past,  there  is  a  lot  of  future  in  the 
university  still,  but  it  has  not  commented  on  The  SCO  Group  or  the 
movie,  so  the  above  review  and  wish  are  mine. 

Bradner  is  Harvard  University's  technology  security  officer.  He  can  be 
reached  at  sob@sobco.com. 


NET  INSIDER 

Scott  Bradner 


The  carrier  commodity  conundrum 


We  all  know  that 
these  days, 
bandwidth  is 
“free.”  Specifically  it’s  a 
commodity  service 
whose  cost  is  so  low 
that  it’s  no  longer  a 
significant  compo¬ 
nent  of  telecom  costs. 

Unfortunately  that’s 
only  half-true.  Al¬ 
though  the  cost  of 
long-haul  bandwidth 
is  so  low  it’s  almost 
impossible  to  measure,  the  cost  of  access 
bandwidth  continues  to  be  fairly  high.  As 
Sanford  Bernstein  analyst  Craig  Moffett  point¬ 
ed  out  in  testimony  to  the  U.S.  Senate 
Subcommittee  on  Communications  a  few 
years  back,  providing  residential  broad¬ 
band  connectivity  costs  as  much  as  $80 
per  month. 

Bandwidth  is  a  commodity  rather  like  air  or 
water  —  it’s  free  in  some  places,  extremely 
expensive  in  others.  If  you’re  standing  right 
beside  a  mountain  spring,  water  truly  is  free 
—  but  how  much  does  it  cost  to  bring  that 
water  to  the  Sahara?  Or  consider  the  cost  of 
shipping  a  few  liters  of  that  pure  mountain  air 
to  outer  space. 

The  challenge  facing  carriers  is  to  subsi¬ 
dize  expensive  access  costs  by  charging 
more  for  inexpensive  long-haul  than  it’s  actu¬ 


ally  worth.  In  other  words,  operating  a  purely 
long-haul  network  isn’t  a  viable  business 
(that’s  why  SBC  purchased  AT&T  rather  than 
the  other  way  around). Therefore,  to  survive, 
carriers  have  to  operate  both  the  access 
branches  and  the  core. 

But  that’s  not  all.  Carriers  have  to  constantly 
remember  not  to  confuse  their  raw  materials 
(bandwidth)  with  what  they’re  selling  (com¬ 
munications  services). To  understand  the  dif¬ 
ference,  think  about  bottled  water:  have  you 
ever  taken  a  swig  from  a  water  bottle  while 
standing  right  next  to  a  faucet?  Why  did  you 
pay  $2  or  more  for  that  bottled  water,  instead 
of  drinking  the  free  stuff? 

The  answer  is  less  obvious  than  it  appears. 
Some  people  will  say  the  answer  is  safety  — 
they  believe  the  bottled  water  is  purer  and 
safer  than  their  local  tap  water.  (Depending 
on  where  they  live,  that  may  or  may  not  be 
true  —  in  New  York  City  where  I  live,  you’re 
better  off  drinking  the  stuff  from  the  tap.) 
Another  answer  is  consistency:  Regardless  of 
safety  people  know  how  a  bottle  of,  say  Evian 
will  taste.  But  the  most  compelling  answer  is 
convenience:  You  can  throw  that  bottle  of 
water  in  your  car  or  briefcase,  and  have  it  with 
you  right  at  your  chair  or  desk.  So  in  essence, 
what  Evian  is  selling  isn’t  water:  it’s  purity  con¬ 
sistency  and  convenience. 

The  challenge  for  carriers  is  to  come  up 
with  the  equivalent  value  propositions  for 
their  services.  AT&T’s  CSO,  Ed  Amoroso,  is 


on  the  right  track  when  he  talks  about 
“clean  pipes” — offering  reliable,  virus-free 
bandwidth.  And  carriers  across  the  board 
are  stressing  managed  services  —  their  ver¬ 
sion  of  “convenience.”  But  these  are  really 
baby  steps  —  to  get  out  of  the  bandwidth 
biz,  carriers  need  to  make  the  case  far 
more  compelling. 

Johnson  is  president  and  senior  founding 
partner  at  Nemertes  Research,  an  independent 
technology  research  firm.  She  can  be  reached 
at  johna@nemertes.com. 


Next-gen  WAN  services  event 

Enterprises  face  an  increasingly  com¬ 
plicated  network-services  landscape. 
Today's  Ethernet  options  offer  new 
managed  services,  greater  simplicity, 
higher  bandwidth  and  reduced  costs. 
But  they  come  at  a  price:  A  whole  new 
set  of  service  delivery  complexities. 
Learn  about  advanced  communications 
services:  Where  are  we  now?  Where 
are  we  headed  tomorrow?  Attend  IT 
Roadmap:  Seattle  on  Aug.  12  free. 
Qualify  at: . 

www.nwdocfinder.com/5046 
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NEW  YORK  SEPTEMBER  15-19,  2008 


THE  LEADING  BUSINESS 
TECHNOLOGY  EVENT 


> 


Learn  about  all  the  key  technologies  that  drive  your  business: 

•  SAAS 


APPLICATION  DEVELOPMENT  FOR 
SMARTPHONES 

CLOUD  COMPUTING 
GREEN  IT 

APPLICATION  DELIVERY 
DATACENTER 
ENTERPRISE  2.0 
ENTERPRISE  WIRELESS 
GOVERNANCE,  RISK  &  COMPLIANCE 
•  IT  AUTOMATION 
IT  MANAGEMENT 
■  IT  SECURITY 


■  VIRTUALIZATION 

•  MOBILE  INTERNET 

•  MOBILE  TOOLSETS 

■  NETWORK  ACCESS  CONTROL  (NAC) 

•  NETWORKING  AND  SERVICES 

■  SOA 

■  STORAGE 

•  TELEPRESENCE  AND  VIDEO  CONFERENCING 

•  VOIP  AND  UNIFIED  COMMUNICATIONS 

•  WIRELESS  TECHNOLOGY 


BONUS  ADMISSION 

Attend  three  focused  technology  events  at  the 
Javits  Center  the  same  time  as  Interop: 


•  •  MOBILE 
BUSINESS 
EXPO' 


web2.0 

EXPO 


ENERGY  CAMP 


Join  thousands  of  business  and 
technology  leaders  at  Interop 
New  York  and  gain  comprehensive 
insight  into  the  latest  IT  innovations 


Attend  150+  sessions,  visit  250+  leading  exhibitors,  network  with  peers 
and  learn  how  to  build  an  IT  strategy  that  improves  business  agility. 

Register  with  priority  code  CMJVNN17  to  save  up  to 
$500  on  any  conference  pass  or  get  a  FREE  EXPO  PASS 
at  www.interop.com 


NEWS  ANALYSIS 


Brocade 

continued  from  page  1 

profitable  and  fared  well  against  Cisco  and 
bigger  companies  since  forming  in  1996,  but 
couldn't  resist  a  Brocade  offer  that  was  a  41% 
premium  on  Foundry’s  closing  stock  price  of 
$13.66  last  Monday  (Foundry  CEO  Bobby 
Johnson  declined  to  talk  with  us  about  the 
deal). 

The  markets  traditionally  targeted  by  Bro¬ 
cade,  Foundry  and  Cisco  are  big  though 
mature  and  not  growing  rapidly  (Dell’Oro 
Group  expects  the  worldwide  SAN  market  to 
be  $2.8  billion  this  year,  up  from  $2.6  billion, 
and  the  worldwide  Ethernet  switching  market 
to  hit  $19.2  billion,  up  from  $18  billion).  The 
unified  data  center  market,  however,  could  be 
bigger  and  grow  faster  given  the  trend  toward 
data  center  consolidation. 

Though  whether  Cisco  will  encounter  in¬ 
creased  competition  from  a  combined 
Brocade/Foundry  anytime  soon  is  debatable, 
observers  say 

“We  do  not  believe  that  this  development 
poses  any  material  implications  to  Ciscos  LAN 
switching  business  for  the  time  being,”  states 
Ryan  Hutchinson,  vice  president,  Data  Net¬ 
working  &  Infrastructure,  at  Lazard  Capital 
Markets  in  a  bulletin  on  the  deal. “Any  strategic 
gains  from  having  footholds  in  storage,  LAN 
switching  and  carrier  routing  are  likely  long- 
term-focused,  and  incremental  gains  will  likely 
be  immaterial  to  Cisco.” 

Customers  waiting 

Foundry  and  Brocade  customers  are  waiting 
for  the  deal  to  shake  out. 

“We’re  wondering  exactly  what  their  plans 
are,“  says  Michael  Brownstein,  vice  president 
of  network  services  at  Highwinds  Network 
Group, a  global  provider  of  content  distribution 
services  that  uses  both  companies’  products. 
“We’d  love  to  be  able  to  access  storage  across 
a  long-haul  network.  Can  they  do  something 
that  would  provide  me  with  more  of  an  end-to- 
end  solution  in  terms  of  my  networking  and 
storage  needs?” 

But  Brownstein  is  most  concerned  about 
the  plans  for  Foundry’s  products,  as  the  con¬ 
tent  company  is  phasing  out  its  use  of  Bro¬ 
cade  SANs  in  favor  of  increased  disk  storage 
at  the  server. 

“Since  Brocade  is  not  really  in  my  long¬ 
term  plans  —  because  I’m  not  going  to  con¬ 
tinue  to  deploy  storage  based  upon  that  kind 
of  solution  —  I’m  much  more  nervous  about 
the  potential  impact  that  the  merger  could 
have  on  my  Foundry  platform,”  he  says.  “My 
risks  are  higher  than  1  think  my  potential 
advantages  [are].” 

Another  joint  Brocade/Foundry  customer 
hopes  the  deal  will  mean  an  uptick  in  R&D 
investment. 

“In  the  last  quarter,  [Foundry]  R&D  had 
dropped  about  5%,”  says  Seth  Azhadi,  senior 
vice  president  of  systems  and  technology  at 
San  Diego  County  Credit  Union. “Hopefully  by 


Storage  plus  switching 

The  Brocade/Foundry  union  brings 
together  the  market  leader  in  Fibre 
Channel  SAN  switches... 


Q1 2008  worldwide  revenue:  $450M 

Other  4.1 


...  and  a  strong  Ethernet  switch  technology 
provider  that  like  so  many  others  has  been 
unable  to  dent  Cisco's  dominance. 


Q1 2008  worldwide  revenue:  $4.5B 

Foundry  2.1%- 


SOURCE:  DELL'ORO  GROUP 


getting  purchased  by  Brocade,  things  are  going 
to  look  a  little  bit  better  for  the  R&D  side.  When 
it  slips,  competition  catches  up.” 

The  competitive  landscape  in  Ethernet 
switching  is  another  intriguing  implication  of 
the  union.  Cisco’s  70%-plus  market  share 
dwarfs  that  of  other  players  —  Nortel,  HP  Pro- 
Curve,  Force  10  Networks,  Extreme  Networks, 
Enterasys  Networks  and  new  entrant  Juniper, 
among  them.  This  deal  puts  them  further 
behind,  observers  note. 

“I’ve  been  a  little  disappointed  in  the  rest  of 
the  vendors’  lack  of  movement  toward  the 
whole  concept  of  a  unified  fabric,”  says  Zeus 
Kerravala,  senior  vice  president  of  enterprise 
research  at  The  Yankee  Group 

“I  just  get  the  feeling  that  the  rest  of  the  indus¬ 
try  they’re  like  a  bunch  of  little  kids  with  their 
hands  over  their  ears  screaming,  ‘I  don’t  hear 
you’  when  you  talk  about  this  trend.  It’s  com¬ 
ing,”  he  adds. 

The  onus  may  be  mostly  on  Juniper  to  re¬ 
spond,  but  the  pickings  are  slim,  Kerravala 
notes.  “There  isn’t  really  another  storage  pure 
play  out  there,”  he  says. 

“It  puts  Cisco  and  Brocade  in  a  very  unique 
position  to  compete  for  data  center  connectiv¬ 
ity  long-term,”  Kerravala  says. 

Focused  on  FCoE 

Both  organizations  have  high  hopes  for 


FCoE,  which  lets  the  Fibre  Channel  storage  pro¬ 
tocol  take  advantage  of  10  Gigabit  Ethernet 
networks,  and  allows  IP  network  and  storage 
data  traffic  to  be  consolidated  with  a  single 
switch. 

With  fewer  cables  and  adapters  in  a  server, 
FCoE  will  help  reduce  data  center  cost  and 
complexity,  says  Brocade’s  Ian  Whiting,  vice 
president  and  general  manager  of  data  center 
infrastructure.  Vendors  are  still  waiting  for  the 
American  National  Standards  Institute  to  pro¬ 
duce  a  standard  for  FCoE,  and  Cisco  and 
Brocade  have  already  quarreled  over  the 
issue,  with  Cisco  using  its  blog  to  deny  allega¬ 
tions  that  its  FCoE  efforts  are  proprietary 
implementations  not  supported  by  the  indus¬ 
try  at  large. 

A  draft  FCoE  industry  standard  is  expected  to 
be  released  next  month.  While  some  industry 
observers  say  FCoE  products  will  ship  in  the 
second  half  of  this  year,  others  think  it’s  more 
likely  to  happen  in  2010  or  2011,  says  storage 
analyst  Matthew  Bryson  with  Avian  Securities. 

Whenever  it  happens,  the  Foundry  acquisi¬ 
tion  gives  Brocade  “a  way  to  play  in  that  [IP] 
space  and  protects  them  as  at  least  a  portion  of 
the  Fibre  Channel  market  is  cannibalized  by 
FCoE,”  Bryson  says. 

Best  of  best 

Foundry  also  was  the  best  Ethernet  switching 
selection  Brocade  could  have  made,  accord¬ 
ing  to  Steve  Schuchart  of  Current  Analysis. 

“They  could  have  gotten  a  different  company 
cheaper,  but  to  buy  Foundry  puts  them  in  a 
very  bright  spot,”  he  says.“Foundry’s  on  the  rise, 
they’ve  got  good  technology,  they’ve  got  good 
momentum,  they’re  well  known  in  that  high- 
performance  market,  that  super-big  data  center 
market  where  Brocade  really  likes  to  live.  You 
couldn’t  ask  for  a  better  pairing.” 

A  bonus  for  Brocade,  Schuchart  says,  is  the 
technology  depth  for  future  product  innova¬ 
tion  and  Foundry’s  presence,  albeit  tiny  in  ser¬ 
vice  provider  routing. 

“That  section  of  the  business  makes  moneyf 
he  says.  “It’s  been  growing.  And  if  Brocade 
wants  to  be  a  complete  player  —  if  they  really, 
really  want  to  play  with  everybody  —  they 
have  to  keep  it.” 

Business  with  North  American  carriers 
helped  Foundry  last  week  report  better-than- 
expected  preliminary  second-quarter  results  of 
$160.7  million  in  revenue  and  earnings  of 
$18.3  million. ■ 


NEWS  ALERTS 

Hate  hunting  for  stories  on  a  specific 
topic?  Let  the  news  come  to  you  with 
Network  World's  latest  news  alerts 
with  focuses  on  security,  financials, 
standards,  trade  show  news  and  ven¬ 
dor-specific  news. 
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Coming  Tuesday,  August  12th 

NETWORK  WORLD  READERS  QUALIFY  TO  ATTEND  FREE 


SEATTLE  8.12.08 

WASHINGTON  STATE  CONVENTION  &  TRADE  CENTER 

www.networkworld.com/RM8SA4 


Join  Us  for  IT's  Indispensable  1-Day  Event! 


IT  Roadmap:  Seattle  is  the  only  event  offering 
team  coverage  in  10  key  areas  of  IT.  Complete 
with  case  histories  from  frontline  users.  Answers 


[  SPEAKERS  AND  AGENDA  SUBJECT  TO  CHANGE  ] 

IT  Roadmap:  Agenda  for  the  Day 

Not  just  compelling  new  technologies  and  state-of-the-art  best  practices,  but  how  the  pieces  fit  together  to 
create  an  architecture  that  can  drive  business. 


from  IT  insiders.  Data  from  industry  researchers. 
Insights  from  IT  specialists.  And  embedded  within 
...a  tightly-focused,  solution-oriented  expo  of  top 
vendors  where  the  takeaways  even  include  the 
chance  to  win  a  42"  Panasonic  HDTV! 

Check  the  agenda.  And  become  a  part  of  it. 
Reserve  your  seat  now.  And  get  ready  for  an  IT 
Roadmap  that  starts  in  Seattle  and  takes  you 
everywhere  you  need  to  drive  your  enterprise. 

For  complete  information  and 
to  register,  go  to 

www.networkworld.com/RM8SA4  or 
call  800-643-4668. 

AFTER-EVENT  ADDED-VALUE  BONUS: 

Access  to  the  ITR  Exchange,  the  private,  password- 
protected  IT  Roadmap  online  community  where  you 
can  track  the  results  of  post  conference  surveys.  Read 
and  download  presentations  from  each  of  the  ten  tracks. 
And  continue  to  network  with  colleagues. 


7:30 

Registration  and  Complimentary  Breakfast 

8:15 

Welcome  Address  and  Agenda  for  Action  Paul  Desmond,  Events  Editor,  Network  World,  Inc. 

8:30 

Keynote  Presentation:  Laurie  Bride,  Enterprise  Architect  with  Boeing,  will  be  discussing  “How  to 
Architect  for  the  Long  Haul" 

9:30 

Technology  Keynote  Presentation:  Strategic  Role  of  the  Network  and  Beyond  Michael  E.  Marcellin, 
Vice  President  of  Global  Product  Marketing  -  Verizon  Business  &  Marie  Hattar,  Vice  President, 

Network  Systems  and  Security  Solutions  Marketing  /  CMO  -  Cisco  Systems,  Inc. 

10:00 

Refreshments  Break 

MORNING  TRACKS  (Choose  One) 

10:15  Each  information-packed  track  presents  a  real-world  user  case  study,  vendor-specific  solutions, 
and  best  practices  you  can  take  back  to  your  enterprise 


Virtualization  VoIP,  Video  &  Unified 

Andreas  Antonopoulos,  Communications 
Nemertes  Research  Irwin  Lazar, 

Nemertes  Research 


Network  Management.  NAC:  Network 
Automation  &  Control  Access  Control 

Jim  Metzler,  Joel  Snyder, 

Ashton  Metzler  &  Opus  One 

Associates 


Next-Generation 
WAN  Services 

Johna  Till  Johnson, 
Nemertes  Research 


1 2:30  Complimentary  Lunch  and  IT  Expo  is  Open 


AFTERNOON  TRACKS  (Choose  One) 

2:30  Security  and  SaaS  and  Cloud 

Compliance  Computing 

Andreas  Antonopoulos,  Jeff  Kaplan, 
Nemertes  Research  THINKstrategies 


Network  &  Application 
Acceleration 

Jim  Metzler, 

Ashton  Metzler  & 
Associates 


Enterprise  Mobility 

Craig  Mathias 
The  Farpoint  Group 


Data  Center 
Infrastructure  & 
Management 

Johna  Till  Johnson, 
Nemertes  Research 


4:45  Reception  and  IT  Expo  Take  this  opportunity  to  visit  the  expo  hall  and  learn  about  the  best  in  IT 
products  and  services.  Refreshments  will  be  served. 

6:00  Passport  Drawing  Fantastic  giveaways  and  other  great  prizes!  You  must  be  present  to  win. 
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MAXAttach  IP 

Superior  SIP-based  Vo!P 
Conferencing  Solutions 

S  Better  audio  performance 
S  Better  room  coverge 
S  Better  price 


Visit  www.clearone.com/listen 
to  hear  the  difference. 


VPNs 

continued  from  page  13 

Alcatel-Lucent,  1DC 
says. 

5.  Are  VPNs  good 
for  VoIP? 

Yes.  MPLS  VPNs  can 
provide  quality  of  ser¬ 
vice  that  guarantees 
deliver  of  VoIP  pack¬ 
ets  on  time  for  better 
voice  quality 

MPLS  also  scales  to 
accommodate  very 
large  numbers  of  sites 
fully  meshed,  so 
phoning  among  cor¬ 
porate  sites  via  VoIP 
shouldn’t  be  a  prob¬ 
lem. 

Using  an  SSL  VPN  to 
carry  VoIP  over  TCP 
improves  voice  quali¬ 
ty  testing  by  Network 
World  has  found. 

Because  TCP  reorders 
packets  and  rebroad¬ 
casts  packets  that  get 
lost,  it  can  boost  quality  of  the  received  call.  If  bandwidth  is  sufficient 
to  accommodate  the  VoIP  channel  plus  the  rebroadcasts,  it  can 
improve  quality. 

VPNs  also  can  provide  security  for  VoIP  calls  running  over  Wi-Fi  net¬ 
works  or  wired  networks,  blocking  eavesdropping.  VPNs  also  are  used 
to  protect  data  from  smartphones  and  other  handheld  devices,  includ¬ 
ing  iPhones,  although  management  for  that  is  still  rudimentary 

6.  Can  I  use  VPNs  in  virtual  environments? 

Yes,  and  doing  so  may  enhance  VPN  security. 

Many  vendors  are  coming  out  with  versions  of  their  VPN  software  that 
run  on  virtual  server  platforms.  This  is  desirable  for  businesses  in  the 
midst  of  virtualization  of  servers  as  a  way  to  reduce  the  number  of 
devices  and  the  electrical  power  expended  in  data  centers. 

The  trade-off  is  that  means  not  using  VPN  appliances,  which  are  a 
popular  means  of  deploying  VPN  gateways  because  they  are  individual 
devices  managed  separately 

On  the  client  side  of  the  VPN,  a  remote  machine  can  help  improve 
VPN  security  according  to  VMware. 

Users  can  configure  remote  virtual  desktops  so  that  they  must  access 
corporate  sites  via  a  VPN  gateway  At  the  same  time,  the  physical  host 
that  the  virtual  desktop  runs  on  can  be  barred  from  the  VPN. 

So  the  virtual  machine  becomes  the  entity  that  joins  the  VPN,  mean¬ 
ing  any  compromises  of  the  host  machine  are  isolated  on  the  physical 
machine  and  cannot  spread  through  the  VPN  into  the  network. 

Virtual  machine  policies  can  restrict  virtual  desktops  so  they  can  only 
access  the  VPN,  making  them  insulated  from  attacks  originating  outside 
the  VPN.  “You  isolate  the  virtual  machine  from  everything  except  the 
corporate  VPN  server,”  VMware  says. 

Further  virtual  machine  policies  can  encrypt  all  data  in  the  virtual 
machine  and  block  the  data  from  being  transferred  out  of  the  virtual 
machine,  making  it  even  less  likely  that  data  accessed  via  VPN  can  be 
compromised. 

Virtual  machine  expiration  policies  can  further  secure  VPNs.  If  a  con¬ 
tractor,  for  example,  is  granted  corporate  VPN  access  via  a  virtual  desktop 
on  his  own  machine,  the  virtual  machine  can  be  configured  to  expire  at 
a  certain  time,  say  the  date  the  contract  runs  out, VMware  says.  ■ 


VPNs  growing  strong 

Both  sales  of  VPN  equipment  and 
services  are  predicted  to  grow  at 
double  digit  rates  overthe  nextthree 


Ml  VPN  services 


2008  2009  2010  2011 


SOURCE:  IDC 
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E-mail  encryption:  Easier  than  you  think 


TECH  UPDATE 

An  inside  look  at  technologies  and  standards 


BY  SANDRA  VAUGHAN 

To  properly  secure  confidential  information  —  everything  from  trade 
secrets  to  financial  data  and  personal  identity  information  —  corpo¬ 
rations  need  policy-based  e-mail  encryption. 


But  securing  data  in  motion  hasn’t  yet 
achieved  critical  mass.  In  a  March  survey  of  e- 
mail  decision  makers  at  more  than  400  large 
enterprises,  Proofpoint  asked  respondents 
what  percentage  of  email  that  should  be  en¬ 
crypted  is  actually  being  sent  that  way  On 
average,  the  answer  is  “less  than  half.”  Further¬ 
more,  a  quarter  of  respondents  said  they  “don’t 
know”  the  answer  to  the  question. 

Even  though  35%  of  survey  respondents  said 
they  intend  to  deploy  a  policy-based  encryp¬ 
tion  solution,  concerns  around  administrative 
burdens,  infrastructure  costs,  ease-of-use  and 
effectiveness  have  made  some  organizations 
hesitant  to  take  the  plunge. 

The  reality  is  that  traditional  encryption  solu¬ 
tions  —  which  require  extensive  storage  and 
backup,  daunting  key  management  require¬ 
ments  and  significant  user  training  —  have 
been  outpaced  by  approaches  that  are  easy  to 
administer  and  use,  and,  most  importantly  let 
employees  continue  to  use  e-mail  but  in  a 
secure  fashion. 

Safeguarding  private  information 

Few  organizations  are  immune  from  regula¬ 
tory  mandates,  many  of  which  require  organi¬ 
zations  to  deploy  e-mail  encryption  as  part  of 
their  messaging  security  architecture.  The 
Health  Insurance  Portability  and  Account¬ 
ability  Act,  Gramm-Leach-Bliley  Act,  Federal 
Information  Security  Management  Act  and 
many  individual  state  laws  provide  guidelines 
for  implementing  best  practices  for  handling 
private  information  via  e-mail  and  other  elec¬ 
tronic  communications.  However,  regulatory 
compliance  concerns  are  only  part  of  the  rea¬ 
son  encryption  solutions  should  be  a  compo¬ 
nent  of  an  organization’s  overall  messaging 
security  architecture. 

A  quick  hit  of  the  “send”  button  could  result 
in  a  competitor  getting  hold  of  confidential 
product-launch  plans,  the  exposure  of  cus¬ 
tomer  Social  Security  numbers,  a  premature 
leak  of  corporate  financial  information  or 
patient  medical  records  being  revealed  to  the 
masses.  The  financial  and  legal  ramifications 
of  these  situations  would  be  enormous,  not  to 
mention  the  potential  negative  impact  on  an 
organization’s  reputation. 

The  primary  role  of  an  encryption  solution 
is  to: 

•  Keep  sensitive  information  private. 

•  Prevent  tampering  of  messaging  content. 


•  Authenticate  the  identity  of  the  message’s 
sender  and  recipient. 

Training  users  on  the  proper  use  of  encryp¬ 
tion  systems  can  be  a  significant  barrier  to  the 
successful  deployment  of  traditional  secure 
messaging  solutions.The  ideal  encryption  solu¬ 
tion  should  eliminate  the  need  for  users  to  take 
any  special  actions  in  order  to  securely  com¬ 
municate  electronically  with  individuals  out¬ 
side  of  the  organization. 

Automatically  applying  encryption  based  on 
customized  messaging  security  policies  lets 
organizations  secure  messages  that  contain 
private  or  confidential  information  without  re¬ 
quiring  manual  intervention  by  senders. 

Today’s  e-mail-based,  data-loss  prevention 
systems  can  scan  messages  and  their  attach¬ 
ments  for  the  presence  of  personal  identifiers 
—  such  as  Social  Security  credit  card,  bank 
account  or  medical  record  numbers  —  either 
alone  or  in  combination  with  healthcare  terms 
such  as  drug,  disease  and  treatment  terms  or 
codes.  If  such  information  is  detected  (possibly 
taking  into  account  other  factors  such  as  the 
sender’s  role  or  the  message  destination),  mes¬ 
sage  disposition  policies  can  be  applied. These 
policies  can  range  from  “block  the  message 
and  flag  it  for  review”  to  “encrypt  the  message 
and  send  it  securely  before  transmission.” 

In  this  way,  compliance  and  content  security 
policies  are  consistently  and  accurately 
applied  on  an  as-needed  basis,  giving  IT  the 
greatest  control  without  inhibiting  the  use  of 
e-mail  as  a  business  tool. This  enables  users  to: 

•  Send  encrypted  messages  using  existing 
messaging  infrastructure. 

•  Send  encrypted  messages  to  individuals 
with  whom  they’ve  never  corresponded. 

•  Easily  encrypt  email  attachments. 

•  Read,  reply  and  forward  secure  messages. 

Automating  encryption  based  on  messaging 

policies  enables  secure  email  communication 
that’s  as  simple  as  the  following: 

Step  1:  Doctor  Dan  sends  an  email  to  Patient 
Pete  using  his  regular  email  client.  The  mes¬ 
sage  is  analyzed  and  automatically  encrypted 
based  on  the  presence  of  protected  health 
information. 

Step  2:  Patient  Pete  receives  the  encrypted  e 
mail  and  clicks  on  an  embedded  link  to  a 
secure  server  where  the  recipient  authenti¬ 
cates  by  providing  some  type  of  credentials. 
This  might  be  as  simple  as  a  login  and  pass¬ 
word  or  it  could  require  the  recipient  to  enroll. 


Enrollment  procedures  vary  widely,  but  are 
often  similar  to  adding  a  new  account  at  on 
online  retailer  (with  the  exception  that  only 
a  previously  known  e-mail  would  be  allowed 
to  enroll). 

Step  3:  The  message  is  decrypted  and  hosted 
in  server  memory  for  Patient  Pete  to  review. 
After  Patient  Pete  accesses  the  message,  it  is 
removed  from  memory 

Step  4:  Patient  Pete  can  securely  respond  to 
Doctor  Dan. 

An  encryption  checklist  for  IT 

When  searching  for  an  encryption  solution, 
organizations  should  look  for  a  tool  that  is  easy 
to  implement  and  manage,  without  the  over¬ 
head  and  costs  associated  with  traditional 
security  solutions.  When  investigating  en¬ 
cryption  solutions,  IT  security  professionals 
should  look  to  see  if  the  tools  meet  the  re¬ 
quirements  of  this  checklist: 

•  High  detection  accuracy:  Confidential,  pri¬ 
vate  and  regulated  content  should  be  auto¬ 
matically  detected  and  encrypted,  without 
instances  of  false  positives. 

•  Policy  driven:  Encryption  should  be  auto¬ 
matically  based  on  customizable  compliance 
and  content  security  policies. 

•  Easy  to  use:  Encrypted  communication 
should  mirror  how  individuals  communicate 
without  requiring  software  downloads  or  the 
management  of  digital  certificates  and  en¬ 
cryption  keys.  It  should  also  enable  individuals 
to  view  encrypted  messages  through  an  easy- 
to-use  interface  or  desktop  client. 

•  Granular  encryption  policies:  It  should  be 
possible  for  encryption  to  be  triggered  by  a 
variety  of  data  matches  including  structured 
data  (such  as  credit  card  numbers  and  Social 
Security  numbers);  unstructured  data  (such  as 
confidential  data  in  a  product  launch  plan); 
and  by  message  origin,  destination  and  attrib¬ 
utes,  such  as  attachment  type. 

•  Low  cost  of  ownership:The  ideal  encryp¬ 
tion  solution  should  eliminate  the  need  for 
extensive  storage,  backup  and  recovery 
overhead. 

Powerful,  policy-driven  encryption  lets  orga¬ 
nizations  mitigate  the  risks  associated  with 
regulatory  violations,  data  loss  and  corporate 
policy  violations.  Encryption  solutions  have 
evolved,  and  properly  protecting  your  organi¬ 
zation’s  confidential  and  sensitive  data,  while 
still  making  the  information  readily  available 
to  the  appropriate  individuals,  may  be  easier 
than  you  think. 

Vaughan  is  senior  vice  president  of  marketing 
and  products  for  e-mail  security  and  data  loss 
prevention  vendor,  Proofpoint.  Visit  the  company 
at  www.proofpoint.com/outbound. 
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Something  to  sync  about 

i 


Mark  Gibbs 


n  my  Network  World  Web  Applications  Alert 
newsletter  I  recently  covered  a  terrific  service 
(in  beta)  called  Dropbox  from  Evenflow. 
Dropbox  is  a  cross-platform,  multiple-endpoint, 
file  synchronization  system.  It  creates  a  special 
GEARHEAD  folder  called  “Dropbox”  in  the  local  file  system  of 
a  group  of  PCs.  Drop  a  file  into  this  folder  on  one 
machine  and  it  appears  in  all  the  other  ma¬ 
chines’  Dropbox  folders. This  facility  is  incredibly 
useful  for  collaborative  projects  and  the  distribution  of  specialized  con¬ 
tent  such  as  templates. 

The  file  transfer  is  done  blockwise  (that  is,  using  only  file  deltas)  in  the 
background  to  minimize  perceived  performance  impact, and  the  actual 
transfer  is  mediated  by  the  Dropbox  servers,  which  allows  synchroniza¬ 
tion  between  machines  isolated  by  firewalls  because  Dropbox  only  uses 
ports  80  and  443.  All  data  transfers  are  secure,  and  storage  on  the  servers 
is  encrypted  with  the  256-bit  Advanced  Encryption  Standard. 

You  can  install  Dropbox  on  Windows  (XP  and  Vista  are  supported, 
although  it  seems  to  work  just  fine  on  Windows  2003  SE)  and  OS  X  (Tiger 
and  Leopard).  A  Linux  version  is  in  the  works. 

You  can  create  subfolders  under  the  Dropbox  folder  and  share  them 
with  other  Dropbox  users  outside  of  your  group,  and  the  Dropbox  Web 
interface  provides  control  of  sharing,  a  log  of  all  file  additions  and  dele¬ 
tions,  and  recovery  of  deleted  files,  and  you  can  add  comments  to  shared 
folders.  Finally  as  if  all  that  weren’t  enough, you  can  just  log  on  directly  to 
the  Dropbox  Web  site  and  upload  and  download  files,  which  provides 
you  with  access  even  from  machines  that  don’t  have  Dropbox  installed. 

During  the  beta  (drop  me  a  note  to  gearhead@gibbs.com  with  the  sub¬ 
ject  “dropbox”  and  I’ll  send  you  an  invite)  you  are  limited  to  2GB  of 
shared  storage.  When  Dropbox  comes  out  of  beta  the  company  plans  to 


reduce  that  to  1GB  for  free  accounts  (beta  users  keep  their  2GB  limit).  In 
a  FAQ  the  company  notes  that  there  have  been  requests  for  self  hosting 
and  to  use  Amazon  Simple  Storage  Service  (Amazon  S3)  as  the  back 
end,  but  it  makes  no  promises  as  to  when  it  might  deliver  these  features. 

It’s  got  to  be  said:  Dropbox  is  a  work  of  genius.  It  does  what  it  claims  to 
do  better  than  any  other  service  I’ve  seen  and  transparently  enough  that 
you  could  deploy  it  to  inexperienced  users. 

All  of  this  got  me  thinking  about  other  synchronization  uses.  I  might  set 
up  Dropbox  such  that  the  shared  folder  on  a  Windows  2003  server  on 
my  network  is  monitored  by  a  copy  of  another  tool  I  really  like  — 
GoodSync,a  utility  from  Siber  Systems  that  I  last  reviewed  two  years  ago. 

GoodSync  allows  you  to  set  up  synchronization  “jobs”  that  can  be  run 
on-demand  or  scheduled. The  sync  process  can  uni-  or  bidirectionally 
synchronize  directories  and  can  use  any  combination  of  Windows 
shares,  FTP  Secure  FTpWebDAV  and  WinMobile  (via  ActiveSync). 

I  could  set  up  GoodSync  to  copy  files  one-way  from  various  subfolders 
in  the  server’s  local  Dropbox  folder  to  a  server  archive  folder. These  var¬ 
ious  subfolders  would  be  shared  via  separate  Dropbox  accounts  on  the 
machines  of  other  people  I  work  with  who  aren’t  very  computer  literate 
and  who  shall  remain  nameless.  I’d  set  up  their  systems  such  that  critical 
files  (such  as  accounting  data  and  address  books)  would  be  stored  in 
their  Dropbox  folders,  and  GoodSync  would  ensure  that  copies  were 
archived  and  always  recoverable. 

A  free  alternative  to  Goodsync  might  be  to  use  Microsoft’s  Robocopy, 
which  is  part  of  the  Windows  2003  Resource  Kit  Tool.  If  you  want  to  try 
this  utility  (which  is  about  as  user  friendly  as  a  cornered  rat), you  might 
want  to  use  the  optional  GUI,  which  slightly  improves  its  usability 

There  are  many  ways  to  skin  this  particular  cat.  What  do  you  use? 

Gibbs  is  synced  in  Ventura ,  Calif. Your  copy  to  gearhead@gibbs.com. 


Ease  of  use  make  two  devices  shine 


The  scoop:  Pinnacle  Video  Transfer,  by 
Pinnacle,  about  $130. 

What  it  is:  This  handheld  device  allows  you  to 
connect  any  video  source  with  composite 
inputs  (or  an  S-Video  connection)  and  transfer 
the  video  content  directly  to  any  USB-enabled 
COOLTGOLS  storage  device  without  having  to  go  through  a 
PC.This  includes  devices  such  as  the  Apple  iPod 
and  Sony’s  PlayStation  Portable. 

Why  it’s  cool:  I  love  this  device  because  it’s  so  easy  to 
use,  making  for  quick  and  easy  backup  of  a  bunch 
of  different  video  sources.  I  was  able  to  take  a 
stack  of  my  camcorder  tapes  and  turn  them  into 
MPEG4  video  files,  which  I  could  store  on  my 
USB  storage  drive,  or  even  transfer  to  a  PC  for  later 
editing.  If  you  have  a  bunch  of  old  VCR  tapes, you 
can  quickly  digitize  those,  as  well. The  direct-to-iPod 
or  PSP  version  lets  you  take  TV  shows  stored  on  a  dig¬ 
ital  video  recorder  and  move  the  content  directly  to 
those  media  players.The  device  even  comes  with  a  composite 
cable,  which  means  I  didn’t  have  to  rifle  through  my  cable  drawer 
looking  for  the  right  connections. 

One  note:  The  video  still  transfers  at  a  one-to-one  rate  —  if  you’re  trans¬ 
ferring  a  two-hour  wedding  video.it  will  take  two  hours. 

Grade:  ★★★★  (out  of  five). 

The  scoop:  Compass  597,  by  Sierra  Wireless,  but  on  Sprint  EV-DO  Rev. 
A  network,  about  $50  (after  two-year  agreement  and  rebates),  plus  $60 
monthly  data  plan. 

What  it  is:  A  very  tiny  USB  device  that  offers  wireless  WAN  access  to 
Sprint’s  Mobile  Broadband  (EV-DO  Rev.  A)  network. 


Why  it’s  cool:  What  really  makes  this  device  shine  is  its  easy  installa¬ 
tion.  Gone  are  the  days  of  the  associated  CD-ROM  and  those  lengthy  in¬ 
structions.  Just  connect  the  USB  device  and  the  software  installs  and  gets 
you  configured  with  limited  input  needed. The  device  also  comes  with 
the  very  nice  SmartView  software,  which  does  more  than  just  connect 
you  to  the  wireless  WAN.  Because  there’s  a  GPS  receiver  on 
the  device,  the  software  determines  your  position 
and  then  opens  a  Microsoft  Live  Search  Maps 
page  with  your  browser  to  tell  you  where 
the  latest  services  are.  The  software  also 
includes  a  “share”  button  that  lets  users 
offer  the  GPS  data  by  other  third-party 
GPS  applications. 

Mostly  though,  I  was  impressed 
with  the  network  speeds.  On  average, 
I  was  able  to  get  1 ,05Mbps  of  down¬ 
load  speeds,  with  a  542.6Kbps  of 
upload  speeds,  when  testing  with 
Sprint’s  Internet  Speed  Test  tool. 
When  I  tested  with  the  third-party 
Toast.net  speed  tool,  I  averaged 
966.4Kbps  download  speed  and  173.2Kbps  upload.  Even  more  impres¬ 
sive  was  obtaining  close-to-megabit  download  speeds  when  truly 
mobile.  On  a  bus  trip  from  Boston  to  New  York,  I  could  still  get  an  aver¬ 
age  of  846.2Kbps  download  speed. 

Some  caveats:  The  device  has  a  microSD  card  slot  for  data  transfer,  but 
this  really  only  benefits  mobile  phone  or  smartphone  users  who  have 
those  cards. 

Grade:  ★★★★★ 

Shaw  can  be  reached  at  kshaw@nww.com. 
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^KACE 


Deploy 
in  days, 
not  months. 


No  kidding  around.  Installing  a  KACE  KBOX  gives  you  complete  systems  management  in  days, 
not  months.  We  also  do  it  for  the  lowest  total  cost  of  ownership.  Give  us  a  call,  let  us  prove  it. 

Welcome  to  KACE  Time. 


Enterprise  Management  Associates 

2008  Rising  Star 


^>KACE 

Systems  Management.  Done. 


www.kace.com/showme  877.MGMT.D0NE 


KACE  and  KBOX  are  trademarks  of  KACE  Networks  Inc.  All  other  registered  trademarks  are  owned  by  their  respective  companies. 


CLEAR  CHOICE  TEST  MIDRANGE  ISCSI  SAN  SERVERS 


iSCSI  SAN  servers  look  alike,  but 
behave  very  differently 

NetApp  leads  the  pack,  but  Compellent,  HP  and  Dell  close  behind 


BY  JUI 

A 


BY  JOEL  SNYDER,  NETWORK  WORLD  LAB  ALLIANCE 

terabyte  isn’t  what  it  used  to  be.  Disks  are  slower  than  you  think. 
And  a  Gigabit  Ethernet  is  plenty  of  bandwidth  for  many  storage 
applications.  Those  are  the  three  conclusions  we  came  to  after  a 
t  round  of  testing  12  iSCSI  storage-area  network  servers. 

SANs,  previously  the  exclusive  domain  of  the  world’s  largest  data  cen¬ 
ters,  have  been  made  possible  for  most  enterprise  and  even  some  mid¬ 
size  organizations  because  of  the  incredible  popularity  of  virtualization. 
Rather  than  trying  to  match  present  and  future  CPU,  memory  and  stor¬ 
age  needs  with  a  single  indivisible  box,  virtualization  lets  the  data  center 
manager  throw  lots  of  resources  onto  a  network,  and  then  slice  off  as 


SANs,  such  as  the  dozen  driven  by  the  iSCSI  SAN  servers  we  looked  at 
in  this  test,  are  one  of  the  many  moving  parts  of  this  virtualization- 
focused  environment. 

While  iSCSI  SAN  servers  look  astonishingly  similar  on  the  outside,  we 
found  some  substantial  differences  in  the  products  tested  from  Celeros, 
Compellent  Technologies,  Dell  (formerly  EqualLogic),  D-Link,  Fal- 
conStor  Software,  HR  Kano  Technologies,  LeftHand  Networks,  NetApp, 
Nexsan  Technologies,  Reldata  and  StoneFly 
Performance  is  an  easy  differentiator  among  products.  For  example, 
in  our  easiest  performance  test,  throughput  rates  ranged  from 
80Mbps  to  2447Mbps.  That  said,  we  found  even  more  significant  dif- 


nail  or  as  large  a  chunk  as  is  needed  to  meet  each  application’s  needs,  fe: 

NET RESULTS 

Product 

FAS2050 

(dual  controllers) 

Vendor 

NetApp 

www.netapp.com 

Price 

$69,960** 

StorageCenter 

Compellent  Technologies 
www.compellent.com 

$68,800 

StorageWorks  2012i 
Modular  Smart  Array 

HP 

www.hp.com 

$12,887 

PS5000XV 

Dell 

www.dell.com/equaliogic 

$55,000 

NSM  2120 

Storage  Node 

LeftHand  Networks 
www.lefthandnetworks.com 

$96,000* 

Storage 

Concentrator 

StoneFly 

www.stonefly.com 

$26,436**** 

NSS-S12 

FalconStor  Software 
www.falconstor.com 

$43,000 

9240  Unified 

Storage  Gateway 

Reldata 

www.reldata.com 

$43,907 

EzSANFiler  XD34S 

Celeros 

www.celeros.com 

$15,825 

NetCOR  7500 

Kano 

www.kanotechnologies.com 

$13,447 

DSN-3200-10 

D-Link 

www.dlink.com 

$12,475*** 

SATABeast 

Nexsan  Technologies 
www.nexsan.com 

$67,500 

Pros 

Among  highest  performance  in  our  tests;  NAS  and  SAN  fea¬ 
tures;  heavy  enterprise  feature  set;  built-in  high-availability 
capabilities;  good  snapshot  agent  support;  expandable. 

Very  expandable;  outstanding  management  interface;  data 
migration  feature  reduces  management  costs;  flexible  snapshot 
features. 

Mixes  SAS  and  SATA  drives  in  same  chassis;  easy  expandabil¬ 
ity;  above-average  management  toolset;  built-in  HA  capabilities. 

Heavy  set  of  enterprise  features;  among  highest  performance  in 
our  tests;  built-in  HA  capabilities;  easy  expansion  into  cluster. 

Easy  expansion  and  scalability;  among  highest  performance  in 
our  tests;  easy  configuration  for  iSCSI  initiators. 

Very  good  performance  for  SATA-based  system;  simple  GUI; 
good  performance  for  SATA-based  system;  expandable  with 
additional  disk  shelves  over  Fibre  Channel;  simple  GUI. 

Strong  snapshot  agent  support;  strong  replication  feature  set. 

Excellent  technical  support;  good  security  design;  very 
expandable. 

NAS  and  SAN  capabilities;  mixes  SAS  and  SATA  drives  in  same 
chassis;  easy  networking;  expandable. 

Built-in  HA  capabilities;  six  GigE  ports  per  controller;  easy 
expansion  with  mix  of  SATA  and  SAS  drives. 

Lowest  cost  per  gigabyte;  offers  eight  Gigabit  Ethernet  data 
ports. 

Incredibly  high  density;  fastest  management  in  this  test;  very 
good  performance  for  SATA-based  system;  built-in  high-avail¬ 
ability  capabilities. 


'  QUANTITY:  THREE  **  INCLUDES  DUAL  CONTROLLERS  ***  INCLUDES  15  USER-ADDED  1TB  DISKS  ****  INCLUDES  DNF  FS  16F  ARRAY 
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and  replication/backup  services;  hardware  design  issues,  such  as 
high  availability,  expansion  parameters,  flexibility,  and  load  sharing; 
and,  finally,  manageability. 

Products  from  NetApp,  HP  Compellent  and  Dell  consistently  led  the 
test  results.  LeftHand  Networks,  StoneFly  and  FalconStor  had  some  very 
high  points,  but  all  also  fell  way  down  in  overall  management  capabili¬ 
ties.  There  was  only  a  half-point  spread  among  these  seven  products  in 
our  scorecard.That  said,  we  give  the  Network  World  Clear  Choice  award 
to  NetApp’s  FAS2050  because  of  its  combination  of  high  performance, 
enterprise  features  and  high-availability  capability. 

We  consistently  found  room  for  improvement  in  the  products  from  D- 
Link,Nexsan,Celeros  and  Kano  Technologies. 

In  an  attempt  to  make  the  results  of  this  test  as  navigable  as  possible, 
we’ve  divided  them  into  six  stories  based  on  the  area  of  testing.  These 
topical  stories  show  how  the  products  stand  up  and  fall  down  in  the 
areas  of  interoperability  and  compatibility  (see  story  at  www.nwdocfind 
er.com/5836);  data  protection;  power  consumption  (see  story  at 
www.nwdocfinder.com/5837);  enterprise  features;  management;  and 
performance.  Additionally  online  is  a  product-by-product  breakdown,  as 
well  as  a  slide  show  featuring  the  highlights  of  the  testing. 

Snyder  is  a  senior  partner  at  Opus  One  in  Tucson,  Ariz.  He  can  be 
reached  at  Joel.Snyder@opusl.com. 


Cons  Score 

Very  poor  management  interface  needs  revamp;  4.2 

two  controllers  separately  managed. 


Cons  Score 

Very  poor  management  interface  needs  revamp;  4.2 

two  controllers  separately  managed. 

Low  space  efficiency;  high  availability  requires  4.1 

completely  separate  controller. 

MPIO  setup  requires  manual  intervention;  SATA  4.1 

performance  poor. 

Weak  reporting  features.  4.0 

Management  model  restrictive;  high  price  for  mini-  3.9 
mum  high-availability  configuration. 

Unmanaged  external  arrays.  3.9 

No  expansion  capabilities;  poor  integration  between  3.7 

RAID  controller  and  rest  of  system, 

Poorly  designed  GUI  hard  to  use  and  buggy;  unman-  3.6 
aged  external  arrays;  no  snapshot  agent  support 

iSCSI  target  configuration  convoluted;  no  snapshot  3.3 

agent  support;  no  HA  capability;  bad  documentation. 

Limited  snapshot  features;  no  replication  features.  3.3 

Technical  support  level  unacceptable;  no  HA  capa-  3.1 
bility;  no  snapshot  capabilities;  no  expansion  option. 

Poor  security  model;  no  replication  or  snapshots;  3.1 

high-availability  not  transparent. 


iSCSI  SAN  servers 
vary  widely  on 
data  protection 

BY  JOEL  SNYDER,  NETWORK  WORLD  LAB  ALLIANCE 

If  there’s  any  easy  way  to  tell  products  apart  in  the  iSCSI  storage-area- 
network  server  space,  it’s  in  the  support  for  advanced  data  protection 
features,  such  as  snapshots  and  replication. 

In  theory  snapshots  encompass  a  simple  idea:  You  instruct  the  storage 
array  to  make  a  point-in-time  copy  of  the  state  of  a  virtual  disk. You  can 
continue  reading  and  writing  to  the  virtual  disk,  but  you  can  also  go 
back  to  the  snapshot  to  see  what  things  looked  like  at  the  moment  you 
captured  it.That  said,  every  vendor  whose  product  ships  with  this  capa¬ 
bility  (only  D-Link’s  DSN-3200-10  and  Nexsan  Technologies’  SATAbeast 
don’t)  takes  great  pains  to  document  that  its  products  aren’t  actually 
making  a  copy  of  the  virtual  disk,  but  are  simply  tracking  the  delta 
between  data  versions.  If  you  do  want  to  keep  a  snapshot  forever,  that 
process  may  require  some  additional  work  to  either  copy  it  to  a  new  vol¬ 
ume  or  separate  it  from  the  parent  volume. 

One  easy  differentiator  among  the  products  tested  regarding  snap¬ 
shots  is  operating  system  and  application  support.  It  is  dangerous  to 
have  the  storage  system  simply  pick  a  moment  in  time  to  create  the 
snapshot  because  the  iSCSI  storage  protocol  has  no  sense  of  files  or 
directories.  Depending  on  what  is  happening  at  that  moment, the  file  sys¬ 
tem  may  or  may  not  be  fully  self-consistent.  There  are  lots  of  bits  and 
pieces  that  point  to  each  other  on  a  disk,  and  if  you  catch  a  snapshot 
when  one  pointer  is  updated,  but  not  the  other,  then  the  disk  may  not  be 
“legal”  anymore.  The  problem  compounds  itself  with  certain  applica¬ 
tions,  such  as  e-mail  and  databases,  where  consistency  and  a  full  back¬ 
up  may  require  multiple  virtual  disks  to  all  be  in  sync  at  the  same 
moment. 

This  will  not  be  an  issue  if  you  plan  to  make  snapshots  of  disks  that 
aren’t  in  active  use.  However,  if  you  want  to  guarantee  that  a  snapshot  is 
fully  self-consistent  and  can  always  be  used  in  place  of  the  original  disk, 
you  need  to  verify  that  your  iSCSI  SAN  server  has  some  sort  of  agent  that 
can  communicate  between  the  operating  system  or  application  and  the 
array  to  ensure  consistency  at  the  moment  of  snapshot. 

The  leader  in  claimed  agent  support  for  snapshots  is  FalconStor 
Software’s  NSS-S12,  with  specific  support  for  more  than  a  dozen  data¬ 
bases  and  e-mail  servers,  along  with  the  most  common  Unix  and 
Windows  operating  systems.  Unfortunately  our  testing  of  FalconStor’s 
snapshot  capability  with  Windows  2008  showed  a  particularly  perni¬ 
cious  bug  in  the  product:  It  said  we  were  getting  consistent  snapshots, 
when  we  actually  weren’t.  Eventually  technical  support  weighed  in  that 
Windows  2008  Server  wasn’t  supported  yet.  While  FalconStor’s  technol¬ 
ogy  worked  well  with  all  our  other  tests,  this  highlighted  one  of  the  dif¬ 
ficulties  of  agent  support. 

Close  behind  FalconStor  is  NetApp,  with  agents  for  Windows  and 
Unix  operating  systems  but  no  specific  support  for  applications.  We 
tested  NetApp’s  Windows  2008  agent  and  were  able  to  get  a  consis¬ 
tent  snapshot. 

Every  other  vendor  participating  in  this  test  was  less  ambitious  about 
tackling  the  snapshot  consistency  issue  with  agents;  they  offered  no  real 
agent  support,  or  support  for  a  specific  Microsoft  operating-system  fea¬ 
ture  (introduced  in  Windows  2003)  called  Volume  Shadow  Services 
(VSS).  Compellent  Technologies,  Dell,  HP  LeftHand  Networks  and 
StoneFly  all  point  specifically  at  Microsoft  for  operating-system-level 
consistency  and  are  silent  in  their  documentation  when  it  comes  to 
Unix  operating  systems  or  VMware’s  ESX  server.  We  tested  snapshots  to 
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SCORECARD 

Vendor 

Interop¬ 

erability 

Data 

Protection 

Enterprise 

features 

Mgmt. 

Performance 

Green 

Final 

Score 

20% 

20% 

20% 

20% 

15% 

5% 

NetApp 

5 

5 

4.5 

2 

5 

3.5 

4.2 

Compellent  Technologies 

3.75 

4.5 

4 

4.5 

3.5 

3.5 

4.1 

HP 

4.25 

3.5 

5 

3.5 

4 

4 

4.1 

Dell 

4.25 

3.5 

4.5 

3.5 

4.5 

3.5 

4.0 

LeftHand  Networks 

5 

4.0 

3.5 

3.5 

5 

3 

3.9 

StoneFly 

5 

4.0 

4.5 

2 

4 

3.5 

3.9 

FalconStor  Software 

4.5 

4.5 

3 

2 

4.5 

4 

3.7 

Reldata 

5 

3.5 

4 

2 

3.5 

3 

3.6 

Celeros 

4.5 

2.5 

3 

3 

3.5 

4 

3.3 

Kano  Technologies 

4.75 

3 

3.5 

2 

3 

4 

3.3 

D-Link 

3.75 

2 

2.5 

3 

4 

4 

3.1 

Nexsan  Technologies 

4.5 

2 

3.5 

2 

3 

4.5 

3.1 

Scoring  key:  5:  Exceptional;  4:  Very  good;  3:  Average;  2:  Below  average;  1:  Subpar  or  not  available. 

Note;  Products  from  NetApp,  Compellent  Technologies,  Dell,  LeftHand  Networks  and  Reldata  used  SAS  drives.  Products  from  HP  and  Celeros  used  SAS  and  SATA  drives. 
Products  from  StoneFly,  FalconStor  Software,  Kano  Technologies,  Nexsan  Technologies  and  D-Link  used  SATA  drives. 

be  sure  that  we  could  indeed  make  one  with  all  of  these  products, adver¬ 
tise  it  as  a  new  iSCSI  volume, and  retrieve  files  from  it.We  did  not  run  into 
any  problems  with  these  simple  requests. 

One  common  feature  was  the  ability  to  schedule  regular  snapshots. 
SAN  servers  from  Compellent,  Dell,  FalconStor,  HP  LeftHand  Networks, 
NetApp  and  StoneFly  all  support  scheduling  of  periodic  snapshots. 

We  also  found  some  differences  in  what  you  can  do  with  snapshots, 
such  as  how  easy  or  hard  it  is  to  split  off  snapshots  as  separate  virtual 
disks  (Compellent’s  StorageCenter  was  particularly  good  at  this);  revert 
a  virtual  disk  to  a  snapshot  image  (the  FalconStor  NSS-S12,  HP 
Storage  Works  2012i  and  LeftHand  Networks  NSM  2120  made  this  easy  to 
do);  or  use  a  snapshot  automatically  as  part  of  a  backup  strategy  (only 
the  Kano  Technologies  NetCOR  7500  made  this  difficult). 

Snapshot  functions  offered  by  Compellent,  FalconStor,  HR  Kano  and 
NetApp  require  an  extra  license.  (Kano  says  it  is  going  to  stop  charging 
for  snapshot  licenses  in  August  2008.) 

Most  iSCSI  servers  require  you  to  make  some  allocation  of  space  or 
prediction  of  how  much  space  the  snapshot  will  use;  a  few  do  not, 
including  Compellent’s  StorageCenter  and  LeftHand  Networks’  NSM 
2 120.  Whether  this  matters  to  you  depends  on  why  and  how  you’re  mak¬ 
ing  snapshots.  Similarly,  most  have  limitations  on  the  number  of  snap¬ 
shots  you  can  have  for  a  particular  virtual  disk.  The  HP  StorageWorks 
2012i  licenses  the  number  of  snapshots  you  can  have.  For  others, such 
as  the  NetApp  FAS2050,  with  limits,  the  number  is  fixed,  often  to  a  very 
high  number  (such  as  255  per  system). 

Replication  variations 

Replication  is  another  data  availability  feature  that  you  can  use  to  dif¬ 
ferentiate  iSCSI  storage  systems.  Most  often,  replication  is  used  to  keep 
a  copy  of  a  virtual  disk  on  another  storage  system,  with  the  idea  that 
you  would  physically  locate  the  second  server  in  another  building  or 
possibly  in  another  country.  As  with  snapshots,  basic  functionality  is 
present  in  many  products,  but  there  are  many  variations,  such  as  data 
deduplication  and  bandwidth-limiting  capabilities. 

We  divided  replication  into  two  categories:  synchronous  and  asyn¬ 
chronous  replication.  With  synchronous  replication,  every  write  to  a  vir¬ 


tual  disk  is  mirrored  to  the  replicated  volume,  which  means  the  repli¬ 
cated  volume  is  guaranteed  to  be  consistent  with  the  original  volume. 
It’s  called  “synchronous,”  because  the  write  operation  is  not  signaled  as 
completed  until  both  copies  are  in  sync.  Synchronous  replication  is  a 
touchy  subject  because  it  requires  high  bandwidth  and  low  latency 
between  the  two  storage  systems.  Otherwise,  performance  will  be 
impacted  heavily 

Compellent,  FalconStor,  LeftHand  Networks,  NetApp,  Reldata  and 
StoneFly  all  support  synchronous  replication.  FalconStor  and  NetApp 
offered  the  greatest  options, supporting  synchronous  replication  to  both 
the  same  storage  subsystem  and  to  a  remote  subsystem.  Reldata  had  the 
most  interesting  option:  Its  product  will  replicate  traffic  using  iSCSI,  so 
that  you  could  use  a  non-Reldata  system  for  the  remote  storage  server. 

Asynchronous  replication  is  a  much  looser  form  of  replication  and  is 
often  tied  in  with  snapshots.  The  idea  is  that  regularly  scheduled  snap¬ 
shots  of  a  virtual  disk  are  used  for  replication.  The  replication  process 
sends  only  what  changed  between  the  last  snapshot  and  the  current 
one.  Asynchronous  replication  doesn’t  significantly  affect  performance, 
because  it  doesn’t  get  in  the  way  of  every  single  write.Thus,  if  you  snap¬ 
shot  once  an  hour, your  replicated  virtual  disk  will  be  about  an  hour  out 
of  date  (depending  on  how  long  it  takes  to  transfer  the  updates). 
Asynchronous  replication  is  supported  by  Celeros  (remote), Compellent 
(local/remote),Dell  (remote),  HP  (local), LeftHand  Networks  (remote), 
NetApp  (local/remote),  Reldata  (remote)  and  StoneFly  (local). 

Like  snapshots,  replication  is  often  a  separately  licensed  feature. 
Because  we  didn’t  test  it,  our  pricing  information  does  not  include  it. 

Although  we  focused  on  iSCSI  in  our  testing,  three  of  the  systems 
from  Celeros,  NetApp  and  Reldata  also  include  network-attached-stor¬ 
age  (NAS)  protocols  (such  as  NFS  or  CIFS/SMB0  in  the  same  sys¬ 
tems).  Celeros  caught  our  eye  on  the  data-recovery  and  data-protec- 
tion  area  because  it  has  preinstalled  agents  for  popular  enterprise 
backup  applications  from  Veritas  Software  (Symantec),  Dantz  (EMC) 
and  CA.This  lets  the  Celeros  server  handle  backups,  a  slightly  more 
efficient  approach  than  having  a  server  with  mounted  NAS  volumes 
do  the  backups. 

See  iSCSI,  page  36 
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Manager  and  Systems  Management  Server) 
designed  to  help  you  manage  your  mission- 
critical  enterprise  systems  and  applications. 

Carnival  Cruise  Lines  manages  1,000  shipboard 
and  land-based  servers  with  System  Center.  That's 
big.  See  Carnival  Cruise  Lines  and  other  case 
studies  at  DesignedForBig.com 

\!/.y .  *'■  v  •  .«  -'Sa  • 

:  -V.  .  '*  ■'  V  '  '  ,  *  » 

Microsoft  i  ,s* 


;  ;i:/j 


CLEAR  CHOICE  TEST  MIDRANGE  ISCSI  SAN  SERVERS 


Security  features  for  iSCSI  SAN 
servers  set  at  a  very  low  level 


BY  JOEL  SNYDER,  NETWORK  WORLD  LAB  ALLIANCE 

Our  testing  of  iSCSI  storage-area-network  servers  show  they  all  handle 
basic  functions  as  advertised.  But  we  had  to  dig  deeper  into  other  enter¬ 
prise  features  offered  —  such  as  security,  high  availability  and  expand¬ 
ability  —  to  find  bigger  differentiations  among  the  products. 

We  looked  for  the  same  level  of  security  management  and  secure 
design  in  iSCSI  storage  systems  as  we  would  for  any  other  critical  net¬ 
work  component.  But  we  were  sorely  disappointed. 

We  expected  something  as  simple  as  having  a  strict  separation 
between  management  and  data  planes  to  be  basic  to  these  products, 
but  less  than  half  of  the  products  tested  —  D-Link’s  DSN-3200-10,  HP’s 
Storage  Works  2012i,NetApp’s  FAS2050,  Nexsan  Technologies’  SATABeast 
and  StoneFly’s  Storage  Concentrator  —  have  the  ability  to  completely 
separate  data  and  management. 

How  about  encrypted  management  traffic?  Most  products  supported 
that,  although  with  some,  enabling  SSL  was  optional  while  with  others  it 
was  very  difficult  to  enable  at  all.  Kano  Technologies’  NetCOR  7500  and 
Nexsan’s  SATABeast  don’t  support  SSL.  The  SATABeast  was  even  more 
frightening:  It  runs,  by  default,  without  any  user  name  or  password 
required  for  management. 

And  in  another  security  faux  pas,  we  found  many  products  listening  on 
Telnet  ports  that  couldn’t  be  disabled. 

Our  general  conclusion  is  that  the  storage  industry  somehow  thinks  its 
products  are  safe  because  they  are  sitting  inside  the  corporate  firewall. 
They  should  rethink  that  point  very  carefully 

We  did  run  into  a  few  occasional  security  high  points,  though,  such  as 
delegated  levels  of  system  management  offered  in  the  Compellent 
Technologies  StorageCenter  and  the  NetApp  FAS2050.But  the  only  prod¬ 
uct  in  our  test  that  easily  met  basic  requirements  for  control  security  — 
a  separate  control  plane,  ability  to  enable  and  disable  management  ser¬ 
vices  and  encrypted  management  —  was  the  HP  StorageWorks  2012i. 
Next  up  was  the  NetApp  FAS2050,  which  had  many  of  the  same  features, 
but  made  them  so  difficult  to  use  that  many  managing  this  system  would 
not  bother  to  use  them  correctly  For  example,  controlling  SSL  and 
Secure  Shell  access  —  something  HP  facilitated  with  two  check  boxes 
within  its  Network  Management  GUI  screen  —  takes  NetApp  20  pages  of 
documentation  to  describe. 

On  the  data  security  side,  we  had  a  better  experience  in  spite  of  the 
fact  that  the  iSCSI  protocol  is  a  particularly  dangerous  one  for  most 
enterprises  because  of  its  “discovery”  mechanism,  which  is  a  way  for  an 
iSCSI  initiator  to  discover  all  the  virtual  disks  that  an  iSCSI  target  is  adver¬ 
tising.  Discovery  makes  it  easy  for  an  inattentive  administrator  to  acci¬ 
dentally  —  or  purposefully  —  attach  a  server  to  a  virtual  disk  that  he 
shouldn’t,  potentially  causing  data  corruption  or  information  leakage. 
An  iSCSI  storage  system  must  have  a  clear  security  model  that  makes  it 
easy  for  the  storage  administrator  to  unambiguously  apply  controls  on 
which  systems  can  connect  to  which  virtual  disks. 

We  were  looking  for  products  that  would  let  us  restrict  volumes  based 
on  iSCSI  initiator  name,  IP  address  or  a  user  name/password  pair.  Our 
testing  showed  that  the  Dell  PS5000XV  and  Reldata  Unified  Storage 
Gateway,  followed  by  the  StoneFly  Storage  Concentrator,  had  the  clean¬ 
est  and  most  complete  data  security  implementations,  making  it  rela¬ 
tively  easy  to  apply  any  protection  needed. 

The  only  product  that  failed  our  basic  requirements  for  data  security 
was  the  Nexsan  SATABeast,  because  it  did  not  support  any  sort  of  initia¬ 
tor/target  authentication.  While  the  other  products  made  it  variously 
confusing  or  difficult  to  use  authentication  (CHAP  is  the  authentication 
protocol  commonly  used  in  iSCSI),  we  did  manage  to  make  them  all 
work  eventually 


We  also  looked  for  encryption  on  the  data  plane,  although  it  is  likely 
that  most  storage  managers  will  depend  on  a  separate  data  network 
rather  than  encryption  to  help  assure  privacy  NetApp’s  FAS2050  had  it, 
and  we  were  able  to  make  it  work.  The  Celeros  EzSANFiler  claimed  to 
have  IPSec  encryption,  but  we  couldn’t  make  it  work.  Reldata’s  Unified 
Storage  Gateway  supports  manual  key  sharing  rather  than  Internet  Key 
Exchange,  an  approach  that  won’t  pass  muster  in  the  real  world. 

We  found  an  interesting  feature  (which  we  didn’t  test)  on  the  StoneFly 
Storage  Concentrator:  on-disk  encryption.  With  StoneFly’s  implementa¬ 
tion,  encryption  keying  information  is  loaded  on  a  USB  memory  card 
that  must  be  present  when  the  system  is  booted. 

RAID-level  differentiation 

Another  difference  between  the  iSCSI  SAN  servers  tested  is  the  num¬ 
ber  and  types  of  devices  and  RAID  levels  supported.  Different  RAID 
types  usually  represent  trade-off  choices  between  availability  (the  abili¬ 
ty  to  survive  a  drive  failure),  performance  (read  and  write  speed),  and 
capacity  (the  amount  of  space  wasted  by  redundant  storage).  In  larger 
storage  systems  that  can  mix  both  expensive  high-speed/lowcapacity 
drives  with  less  expensive  low-speed/high-capacity  devices,  there’s  also 
a  cost  trade-off  to  factor  in. 

In  a  traditional  single  system  RAID  environment,  system  managers  are 
accustomed  to  having  a  lot  of  choice  and  control:  disk  striping  (RAID  0), 
disk  mirroring  (RAID  1), striped  mirrors  (RAID  1+0)  and  distributed  par¬ 
ity  (RAID  5)  are  all  commonly  available  for  any  set  of  disks,  along  with 
other  variations  (RAID  4,  RAID  5+0,  and  more).  System  managers  pick 
one  or  the  other  based  on  their  requirements  for  efficiency  data  integrity 
and  performance.  When  dealing  with  eight  or  so  identical  disks  and  a 
single  application  or  two,  it’s  easy  to  make  these  choices. 

In  the  iSCSI  storage  systems  we  tested,  the  minimum  number  of  drives 
is  12,  with  most  systems  offering  expansion  far  beyond  that.  (Only  the  D- 
Link  DSN-3200- 10,  FalconStor  Software  NSS-S12  and  Nexsan  SATABeast 
did  not  allow  expansion, although  with  a  42-drive  capacity  in  the  Nexsan 
SATABeast,  it’s  hard  to  consider  that  a  lack  of  expansion  capability) 

Choosing  RAID  levels  in  an  environment  with  dozens  of  drives  and 
applications,  multiple  drive  speeds  and  capacities,  as  well  as  such  fea¬ 
tures  as  virtual  drive  expansion  (supported  in  all  the  devices  we  tested) 
and  snapshots,  may  be  more  than  even  a  storage  genius  can  handle 
intelligently 

The  most  innovative  approach  to  the  plethora  of  RAID  choices  comes 
from  Compellent,  with  its  dynamic,  tiered  storage  system.The  responsi¬ 
bility  for  managing  the  performance/cost  trade-off  falls  on  the 
Compellent  controller  rather  than  the  system  manager.  A  Compellent 
system  (like  many  we  tested)  can  combine  high-speed  but  expensive, 
drives  with  low-speed,  higher  capacity  less-expensive  drives,  all  into  RAID 
0,RAID  1+0,  RAID  5  and  a  double  mirror  stripe  RAID  1+1+0.  Rather  than 
specifically  lock  a  particular  virtual  drive  into  one  set  of  physical  disks 
and  one  RAID  topology,  Compellent’s  software  can  automatically 
migrate  heavily  used  data  to  faster  storage  and  less-used  data  to  slower 
storage,  based  on  as  many  as  three  tiers  that  the  system  manager  identi¬ 
fies.  We  tested  this  and  watched  as  heavily  used  data  during  perform¬ 
ance  testing  made  our  “Tier  1”  disk-drive  lights  blink,  while  the  data  we 
wrote  once  and  touched  only  at  the  end  of  the  test  week  got  pushed  to 
“Tier  2”  physical  drives  —  all  within  the  same  virtual  disk. 

No  other  vendor  claimed  to  have  anything  like  this  automatic  RAID 
migration,  although  we  were  pleased  to  see  the  Celeros  EzSANFiler 
XD34S  and  HP  StorageWorks  2012i  systems  support  a  mix  of  Serial- 
Attached  SCSI  (SAS)  (high  speed,  high  cost,  low  capacity)  and  Serial 

See  iSCSI,  page  38 
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Advanced  Technology  Attachment  (SATA)  (low  speed,  low  cost,  high 
capacity)  drives  in  the  same  shelf,  giving  the  system  manager  more  con¬ 
trol  over  the  cost/performance/capacity  trade-off,  even  in  fairly  small 
deployments.  All  the  other  expandable  systems  require  each  storage 
shelf  (typically  12  to  20  drives)  to  have  a  single  type  of  device, either  SAS 
or  SATA.  However,  it  should  be  noted  that  the  Celeros  and  HP  arrays  suf¬ 
fered  lower  levels  of  performance  on  SAS  and  SATA  than  other  servers 
we  tested, so  this  flexibility  within  the  same  chassis  does  come  at  a  cost. 

When  it  comes  to  simple  enumeration  of  RAID  levels,  we  resisted  turn¬ 
ing  this  part  of  our  evaluation  into  a  “more  is  better”  list.  Every  device 
offered  the  choice  to  trade  off  reliability  (by  selecting  RAID  1+0  or  RAID 
6)  against  efficiency  (typically  by  opting  for  RAID  5),  which  seemed  to 
be  sufficient  for  most  requirements. 

One  difference  between  the  storage  subsystems  we  tested  and  a  typical 
RAID  controller  is  that  our  systems  generally  have  RAID  6  support 
(except  the  Compellent  StorageCenter,  Dell  PS5000XY  D-Link  DSN-3200- 
10  and  Reldata  Unified  Storage  Gateway).  RAID  6  is  not  as  standardized 
as  the  other  levels,  but  refers  to  a  parity  redundant  storage  technique  sim¬ 
ilar  to  RAID  5  that  can  survive  the  loss  of  any  two  drives  without  failure. 

Storage  load-balancing 

The  final  areas  we  evaluated  for  enterprise  features  are  load  balancing 
and  high  availability,  which  often  go  hand-in-hand.  Although  we  didn’t 
ask  for  high-availability  configurations,  all  the  systems  came  with  multi¬ 
ple  power  supplies,  and  six  of  the  systems  came  with  dual  controllers 
integrated  into  their  iSCSI  servers,  so  we  peeked  at  the  high-availability 
capabilities  anyway  The  Dell  PS500XV  HP  StorageWorks  2012i,  Kano 
NetCOR  7500,  NetApp  FAS2050  and  Nexsan  SATABeast  were  shipped 
with  two  controllers  integrated  into  their  basic  iSCSI  storage  systems. We 
tested  each  one  and  had  only  a  single  failure:  the  Nexsan  SATABeast 
would  not  fail  over  properly  when  we  were  using  QLogic  iSCSI  initiators, 
although  it  did  work  using  the  integrated  Microsoft  Windows  2008  iSCSI 
initiator.  We  tracked  this  down  to  an  incompatibility  between  the  MPIO 
feature  set  in  the  QLogic  initiator  and  the  MPIO  software  in  Windows 
2008.  This  highlighted  a  fairly  unusual  high-availability  strategy  in  the 
Nexsan,  which  required  full  MPIO  support. 

The  Dell,  HP  Kano  and  NetApp  servers  all  worked  using  a  more  tradi¬ 
tional  system  where  one  controller  took  over  the  IP  address(es)  of  the 
other  controller  when  it  crashed.  In  our  tests,  these  all  worked  flawlessly 


When  investigating  high-availability  features,  we  also  ran  into  some 
load-balancing  issues.  In  the  world  of  storage  systems, “active/active”  load 
balancing  means  something  very  different  than  it  does  in  the  world  of 
network  appliances.  Storage  servers  —  at  least  the  ones  we  tested  — 
don’t  actually  balance  load  across  internal  controllers.  Instead,  each 
controller  takes  primary  responsibility  for  a  set  of  virtual  disks, and  it’s  up 
to  the  system  manager  to  make  sure  that  each  controller  has  a  balanced 
load.  In  the  world  of  networking,  we  call  that  “active/passive,”  but  storage 
vendors  prefer  to  use  “active/active”  to  indicate  that  each  controller  is 
taking  some  load, even  if  they’re  not  sharing  load  on  a  single  virtual  disk. 

The  easiest-to-manage  load  balancing  was  in  the  Dell  PS5000XY 
Kano  NetCOR  7500  and  LeftHand  Networks  NSM  2120  devices.  In  each 
implementation,  the  iSCSI  servers  present  themselves  to  the  network  as 
a  single  IP  address,  even  though  multiple  controllers  and  IP  addresses 
are  in  place.  That  dramatically  reduces  the  workload,  as  well  as  the 
potential  for  error  when  connecting  an  iSCSI  initiator  to  a  virtual  disk. 
For  load  balancing,  the  devices  transparently  redirect  iSCSI  initiators  to 
other  controllers.  Other  devices  we  tested  with  load-balancing  capa¬ 
bilities  require  the  system  manager  to  be  aware  of  the  different  IP 
addresses  used  by  each  controller  and  manually  configure  connec¬ 
tions  to  each  —  an  unnecessary  complication  that  had  us  calling  tech¬ 
nical  support  to  get  things  straightened  out,  especially  after  we  had 
simulated  device  failures. 

The  Celeros  EzSANFiler,  FalconStor  NSS-S12  and  D-Link  DSN-3200-10 
can’t  have  dual  controllers  talking  to  the  same  disk  array  so,  if  you’re 
looking  for  a  iSCSI  server  that  can  survive  the  loss  of  something  more 
sophisticated  than  a  power  supply  those  might  not  be  appropriate 
(FalconStor  has  other  models  that  support  multiple  controllers). 

We  didn’t  test  the  high-availability  capabilities  of  the  Compellent, 
Reldata,  or  StoneFly  solutions  because  they  require  additional  external 
controllers.  In  each  case,  these  iSCSI  SAN  servers  consist  of  a  controller 
in  a  separate  box  from  the  disk  drives,  so  high  availability  requires 
adding  a  separate  controller  to  the  iSCSI  system.  We  also  didn’t  investi¬ 
gate  the  high-availability  capabilities  of  the  LeftHand  Networks 
NSM2012,  which  uses  an  unusual  architecture  of  independent  disk  plus 
controller  “storage  nodes”  to  provide  high  availability  LeftHand  sent  us 
six  storage  nodes  to  highlight  their  high-availability  capabilities,  but  we 
elected  to  evaluate  them  based  on  only  three  storage  nodes  to  make 
their  system  more  equivalent  in  price  and  capabilities  with  the  other 
devices  tested. The  LeftHand  solution  is  intriguing,  but  gaining  efficient 
high  availability  can  be  quite  expensive  unless  you  really  need  18TB  of 
high-speed  SAS-based  storage. 


Performance  test  weighs  network 
feeds,  SAS  vs.  SATA  drive  considerations 


BY  JOEL  SNYDER,  NETWORK  WORLD  LAB  ALLIANCE 

There  is  no  messier  can  of  worms  to  open  than  one  containing  a  disk 
I/O  performance  benchmark.  Performance  is  difficult  to  measure, 
because  there  are  few  trustworthy  tools.  Performance  also  is  difficult  to 
characterize,  because  every  application  (and  even  versions  of  the  same 
application)  uses  the  file  system  differently  And  small  configuration 
changes  within  either  the  test  tool  or  the  iSCSI  server  can  lead  to  sub¬ 
stantial  changes  in  performance. 

Rather  than  try  and  identify  the  fastest  iSCSI  subsystem,  we  focused  on 
four  sets  of  performance-related  questions: 

•  How  does  iSCSI  compare  with  locally  attached  disk  storage?  Is 
iSCSI  fast  enough  to  replace  internal  disks,  or  does  the  network  act 

as  a  bottleneck? 

•  How  does  iSCSI  over  Gigabit  Ethernet  perform?  Is  there  a  requirement 
for  multiple  connections  to  each  iSCSI  initiator?  Is  Ethernet  a  bottleneck? 


Does  iSCSI  need  to  be  shelved  until  10G  Ethernet  is  widely  available? 

•  Is  there  reason  to  pay  extra  money  for  Serial-Attached  SCSI  (SAS) 
drives  compared  with  Serial  ATA  (SATA)  drives? 

•  Are  there  some  general  observations  we  can  make  about  which 
iSCSI  servers  are  faster  than  others? 

For  a  baseline,  we  ran  basic  benchmarks  on  locally  connected  SCSI 
drives.  Each  network  and  application  server  in  our  test  bed  had  two 
internal  10K  RPM  SCSI  drives,  and  we  ran  the  benchmarks  across  four 
servers  with  local  drives  and  later  ran  them  across  the  LAN  to  the  iSCSI 
servers  being  tested  (see “How  we  did  it, ’’www.nwdocfinder.com/5921). 

Results  show  that  a  single  server  talking  to  local  disks  generally  would 
see  lower  levels  of  performance  than  the  same  server  running  the  same 
benchmark  to  an  iSCSI  storage-area  network  (SAN)  device.  If  you 
replaced  internal  disks  on  a  single  server  with  a  iSCSI  SAN  server,  even 

See  iSCSI,  page  40 
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the  slowest  device  tested  would  be  faster  than  the  local  disks. 

These  iSCSI  servers  are  designed  to  serve  many  servers  at  once,  and  you 
wouldn’t  buy  a  whole  iSCSI  server  for  a  single  application  server.  Because 
our  test  bed  had  four  servers,  we  ran  the  same  test  with  four  servers  hit¬ 
ting  the  iSCSI  array  at  once.  In  that  case,  the  sum  of  eight  local  drives  in 
four  servers  turned  in  a  more  respectable  performance  when  compared 
with  iSCSI  over  Gigabit  Ethernet,  because  the  local  disk  performance 
scaled  linearly  When  four  servers  with  local  drives  were  compared  with 
the  iSCSI  servers  we  tested,  they  placed  in  the  bottom  third  of  our  results: 
Nine  of  the  iSCSI  SAN  servers  were  faster,  but  five  were  slower. 

It’s  impossible  to  guess  exactly  what  the  limits  of  the  iSCSI  SANs  are 
without  having  a  lot  more  servers  (and  time)  to  test,  but  a  simple  linear 
extrapolation  indicates  that  for  the  test  loads  we  used, you’d  have  to  have 
about  15  servers,  all  running  flat-out  with  disk  I/O,  before  the  three  top¬ 
performing  iSCSI  SANs  we  tested  (from  Dell,  LeftHand  Networks  and 
NetApp)  would  be  slower  than  locally  attached  disks.  At  that  point, you’d 
have  spent  about  $45,000  on  disks  and  RAID  controllers  for  the  15 
servers,  compared  with  $55,000  to  $96,000  for  one  of  the  iSCSI  servers  we 
tested. That  doesn’t  necessarily  make  the  iSCSI  SAN  servers  we  tested  a 
bargain,  but  the  costs  are  not  too  far  off  —  especially  if  you  factor  in  the 
other  value  prospects  these  virtualized  storage  systems  bring. 

We  conclude  that  iSCSI  competes  well  with  locally  attached  storage.  If 
you’ve  been  buying  inexpensive  SATA  drives,  you  can  throw  one  of  the 
SAS-based  iSCSI  SAN  servers  at  your  network,  and  you’ll  probably  see  a 
big  jump  in  performance.  If  you’ve  been  building  individual  SCSI-based 
arrays  in  each  of  your  servers  and  then  pile  a  dozen  heavily  used  servers 
on  one  of  the  SATA-based  iSCSI  servers,  you  will  more  likely  be  disap¬ 
pointed  with  performance. 

Less  expensive  than  Fibre  Channel? 

Our  second  finding  was  that  standard  Gigabit  Ethernet  doesn’t  appear 
to  be  a  bottleneck  for  SAN  performance.  Instead,  it  is  the  iSCSI  server  — 
most  likely  the  internal  disks  —  that  is  the  actual  bottleneck.  In  our  test¬ 
ing,  every  iSCSI  SAN  server  had  a  minimum  of  two  Gigabit  Ethernet 
ports,  with  most  having  four.  Yet,  with  four  clients  pounding  on  the 
servers,  only  one  test  out  of  48  (the  LeftHand  Networks  during  our  sim¬ 
ulated  Web  server  test)  exceeded  a  total  aggregate  bandwidth  of  2Gbps. 


While  we  wouldn’t  suggest  using  a  single  Gigabit  Ethernet  port  for  your 
SAN  connection,  in  only  eight  tests  (again,  out  of  48)  did  the  four  servers 
exceed  a  total  aggregate  bandwidth  of  lGbps.  Those  cases  were: 
LeftHand  Networks  and  NetApp  in  the  file  and  Web  server  tests, 
Compellent  Technologies,  Dell  and  StoneFly  in  the  Web  server  test. 

These  results  suggest  that  four  Gigabit  Ethernet  connections  should  be 
sufficient  to  saturate  the  capability  of  most  iSCSI  storage  systems  using 
normal  traffic  and  that  the  main  reason  to  run  dual  connections  from  an 
iSCSI  initiator  would  be  for  high  availability  rather  than  to  accommodate 
total  performance.  That’s  good  news  for  network  managers,  because  it 
means  the  extra  cost  and  complexity  of  using  Fibre  Channel  as  the  inter¬ 
connect  for  SANs  does  not  pay  off  in  measurably  higher  performance. 

With  two  ports  of  Fibre  Channel  costing  about  $1,000  apiece  (Gigabit 
Ethernet  is  about  $100  per  port)  and  two  Fibre  Channel  switches  costing 
about  $10,000  apiece  (Gigabit  Ethernet  is  about  $1,000  per  switch),  the 
infrastructure  price  difference  between  Gigabit  Ethernet  and  Fibre 
Channel  for  a  20-server  SAN  would  be  more  than  $50,000  —  enough  to 
buy  a  spare  storage  server  or  a  lot  of  extra  space  for  your  existing  server. 

SAS  vs.  SATA 

When  we  looked  at  the  performance  of  SAS  drives  compared  with 
SATA  drives,  the  results  weren’t  entirely  conclusive,  but  the  trend  is 
pretty  clear:  SAS  drives  will  give  you  lower  latency,  more  I/O  opera¬ 
tions  per  second,  and  higher  throughput  than  SATA  drives.  They 
should,  however,  given  the  cost  differential. 

The  cost  of  a  SAS  drive  can  be  10  times  the  cost  of  a  SATA  drive  for  the 
same  capacity  For  example,  a  450GB  15K  RPM  SAS  drive  has  a  street 
price  of  about  $1,000  —  if  you  can  find  them,  because  they  just  started 
shipping.  A  500GB  7.2K  RPM  SATA  drive,  however,  is  about  $100  —  if  you 
can  find  them,  because  they’re  considered  nearly  obsolete  and  have 
been  largely  replaced  with  750GB  and  1000GB  drives.  SAS  drives  have 
another  cost  as  welLThey  aren’t  available  in  very  high  capacities, so  you 
use  up  more  precious  slots  in  iSCSI  servers  to  get  the  same  capacity 

In  this  test, six  vendors  sent  us  solutions  using  15K  RPM  SAS  drives  and 
seven  vendors  sent  solutions  using  7.2K  RPM  SATA  drives.  Celeros’ 
EzSANFiler  XD34S  and  HP’s  StorageWorks  2012i  can  mix  SATA  and  SAS 
drives,  so  we  benchmarked  each  set  separately  We  also  had  Compellent 
send  us  a  shelf  of  10K  RPM  Fibre  Channel  drives.  No  matter  how  we 
looked  at  the  statistics  —  as  raw  throughput,  I/O  operations  per  second 
or  system  latency  —  the  top  three  performers  were  always  the  same: 


Tracking  performance 
of  iSCSI  SAN  servers 
with  SAS  drives 


This  graph  shows  the  relative  performance  across  four  benchmarks  for  iSCSI  servers  with  SAS  or 
Fibre  Channel  drives.  We  also  included  the  non-iSCSI  drive  performance  statistics  (internal  10,000 
RPM  SCSI  drives)  for  comparison.  These  benchmarks  represent  total  megabytes  per  second  of  each 
iSCSI  SAN  server  with  four  simultaneous  clients  keeping  the  I/O  queue  full  with  32  pending  requests 
per  server.  Each  of  the  four  tests  (simulations  of  Exchange  2003,  Exchange  2007,  file  server  and  Web 
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Tracking  performance 
of  iSCSI  SAN  servers 
with  SATA  drives 

M  BYTES/SEC  THROUGHPUT 


This  graph  shows  the  relative  performance  across  four  benchmarks  for  iSCSI  servers  with  SATA 
drives.  We  also  included  the  non-iSCSI  drive  performance  statistics  (internal  10,000  RPM  SCSI 
drives)  for  comparison.  These  benchmarks  represent  total  megabytes  per  second  of  each  iSCSI 
SAN  server  with  four  simultaneous  clients  keeping  the  I/O  queue  full  with  32  pending  requests  per 
server.  Each  of  the  four  tests  (simulations  of  Exchange  2003,  Exchange  2007,  file  server  and  Web 
server  environments)  is  described  in  greater  detail  in  "How  we  did  it,”  www.nwdocfinder.com/5921. 


■  Exchange  2003  test 
ffi  Exchange  2007  test 

■  File  server  test 

■  Web  server  test 


Dell,  LeftHand  Networks  and  NetApp,  all  using  SAS  drives. 

However,  the  fourth-place  performer  in  all  three  categories  was  the 
Nexsan  Technologies  SATABeast.with  its  load  of  1000GB  7.2K  RPM  SATA 
drives.  On  the  slow  side  of  our  testing,  SATA-based  iSCSI  servers  domi¬ 
nated  our  rankings.  For  each  of  the  categories,  the  bottom  scores  were 
always  SATA-based  arrays. 

Raw  rankings,  though, don’t  show  the  real  difference  in  speeds.To  com¬ 
pare  SAS  with  SATA  speed,  we  looked  at  the  improvement  in  throughput 
on  the  top  three  SAS  arrays  compared  with  the  top  three  SATA  arrays. 
The  average  increase  in  performance  of  SAS  over  SATA  across  all  four 
scenarios  we  tested  was  221%,  while  individual  results  ranged  from  157% 
(in  the  file-server  simulation  test)  to  270%  (in  the  Web-server  simulation 
test). This  seems  to  say  that  for  normal  read-write  operations,  especially 
in  such  heavy,  random-access  environments  as  email,  SAS-based  iSCSI 
will  turn  in  better  than  twice  the  throughput  of  SATA-based  iSCSI  SAN 
servers.  In  environments  that  are  largely  read-only  such  as  a  Web  server 
offering  HTML  documents,  the  performance  difference  is  less  signifi¬ 
cant,  but  still  fairly  obvious. 

Which  iSCSI  SAN  is  fastest? 

Finally,  we  had  to  look  at  absolute  scores  and  see  which  products  were 
fast  and  which  ones  were  slow. The  usual  cautions  should  appear  here: 
Our  testing  is  based  on  simulated  workloads,  using  simulation  tools  and 
iSCSI  servers  with  out-of-the-box  configurations  —  not  necessarily  tuned 


for  each  application.Your  mileage  may  vary  and  past  results  are  no  guar¬ 
antee  of  future  returns. 

That  being  said,  we  divided  up  the  iSCSI  servers  based  on  their  disk 
technology  because  it  doesn’t  seem  fair  to  compare  SATA-based  iSCSI 
with  SAS-based  iSCSI. We  compared  the  Compellent  StorageCenter  with 
SAS-based  iSCSI  servers  because  it  uses  Fibre  Channel  drives  that  are 
sold  as  high-performance  devices  in  competition  with  SAS  drives,  and 
not  as  a  replacement  for  SATA  drives. 

It’s  clear  that  in  the  SAS  bucket,  the  Dell,  LeftHand  Networks  and 
NetApp  SAN  servers  were  head-and-shoulders  above  the  other  devices 
in  performance.  Their  aggregate  throughput,  low  latency  and  high  I/O- 
operations-per-second  rates  were  dramatically  higher  than  those  of  the 
other  devices  we  tested.This  performance  comes  at  a  cost: The  costs  per 
gigabyte  of  throughput  ranged  from  $8.88  (LeftHand  Networks)  to 
$24.29  (NetApp).  Next  in  line  in  the  SAS-based  server  list  were  the  prod¬ 
ucts  from  HP  and  Reldata. 

Where  budget  intrudes,  or  greater  capacity  is  needed,  the  SATA- 
based  iSCSI  storage  systems  we  tested  still  can  hold  up  their  end  of 
the  bargain,  and  at  a  fraction  of  the  cost  of  the  SAS-based  systems. 
The  iSCSI  arrays  we  tested  offer  a  cost  per  gigabyte  of  throughput 
ranging  from  a  low  of  $0.77  (D-Link)  to  a  high  of  $3.58  per  gigabyte 
(FalconStor  Software).  In  this  bucket,  Nexsan  SATAbeast  and  the 
StoneFly  Storage  Concentrator  really  stood  out  above  the  other 
SATA-based  arrays. 


iSCSI  SAN  server  mgmt.  is  weak 


BY  JOEL  SNYDER,  NETWORK  WORLD  LAB  ALLIANCE 

In  the  storage  business,  a  popular  metric  for  measuring  management 
costs  is  to  compute  “T-byte  per  FTE,”  which  is  how  many  terabytes  a  full¬ 
time  employee  can  manage.  While  that  may  seem  a  bit  over  the  top  at 
first  glance,  based  on  some  of  the  truly  abysmal  management  models  we 
witnessed  throughout  this  testing  cycle,  we  think  it’s  a  reasonable 
assumption. 

All  products  tested  have  GUIs,  generally  either  Web-  or  Java-based. 
These  GUIs  ranged  from  the  one  outstanding  representative  we  found  in 
Compellent  Technologies’ StorageCenter  down  through  a  range  of  good- 


to-average  products  to  ones  that  could  use  significant  improvement, 
such  as  those  shipping  with  the  D-Link  DSN-3200-10,  the  Reldata  Unified 
Storage  Gateway  and  the  StoneFly  Storage  Concentrator. 

LeftHand  Networks  was  a  strange  outlier  in  the  GUI  department,  with 
its  Windows-only  management  client  that  doesn’t  work  across  routed 
networks.  In  other  words,  your  management  station  has  to  be  on  the 
same  subnet  as  the  LeftHand  NSM  servers  that  are  deployed. We  had  to 
reconfigure  our  test  network  to  meet  this  bizarre  requirement. 

Some  products  also  have  command-line  interface  (CL1)  access, 
including  the  Dell  PS5000XV,  FalconStor  Software  NSS-S12,  HP 
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StorageWorks  2012i,  Kano  Technologies  NetCOR  7500  and  the  NetApp 
FAS2050.  Having  access  via  a  CLI  is  useful,  especially  when  performing 
repeated  operations  (such  as  when  we  were  creating  16  virtual  disks 
during  installation), but  day-to-day  operations  should  not  require  the  CLI 
if  the  GUI  is  well  designed. 

With  both  the  Kano  and  NetApp  products,  it’s  clear  that  the  GUI  is  dis¬ 
couraged  in  favor  of  the  CLI.  In  fact,  the  NetApp  FAS2050  really  cannot 
be  entirely  managed  via  the  GUI  —  significant  portions  of  it  require  CLI 
access,  a  sign  of  the  incremental  development  of  NetApp’s  products. 
Based  on  our  testing,  NetApp  has  long  passed  the  point  where  a  com¬ 
plete  user-interface  and  terminology  redesign  are  required.  For  example, 
the  NetApp  FAS2050  was  the  only  device  that  required  managing  the 
two  different  controllers  in  the  appliance  as  completely  separate  ele¬ 
ments  —  even  though  they  were  bound  into  a  cluster.  While  NetApp 
does  offer  software  that  can  unify  multiple  controllers.no  other  vendors 
required  added  code  to  present  a  unified  view  of  their  device  in  the 
management  system. 

Main  management  requirements 

We  didn’t  explore  every  nook  and  cranny  of  the  management  inter¬ 
faces  of  these  systems,  but  looked  in  four  key  areas:  configuration,  mon¬ 
itoring,  alerting  and  reporting. 

Configuration  was  generally  easy  overall  throughout  testing,  although 
we  did  bump  into  some  extreme  rough  spots.  Compellent’s  Storage- 
Center,  Dell’s  PS5000XV  HP’s  StorageWorks  2012i,  Kano’s  NetCOR  7500, 
LeftHand  Networks  NSM  2120  and  Nexsan  Technologies’ SATABeast  all 
came  up  and  started  sharing  data  a  few  minutes  after  initial  power-on, 
without  undue  drama  or  stress.  We  got  through  NetApp’s  FAS2050  as 
well,  once  we  understood  that  we  had  to  do  everything  twice.  Similarly 
D-Link’s  GUI  took  some  getting  used  to,  but  we  figured  it  out  even  though 
it  took  longer  than  necessary  for  what  is  essentially  a  simple  product. 

We  were  less  satisfied  with  the  configuration  models  presented  by  the 
Celeros  EzSANFiler  XD34S,  FalconStor  NSS-S12,  Reldata  Unified  Storage 
Gateway  and  StoneFly  Storage  Concentrator.  In  each  case,  the  iSCSI  stor¬ 
age  controller  is  managed  somewhat  separately  from  the  actual  disk 
array  being  offered.  With  the  FalconStor  product,  for  example,  the  disk 
controller  is  an  internal  Areca  Technology  controller  which  is  completely 
unmanaged  by  the  FalconStor  GUI.That  means  configuration, status  infor¬ 
mation  and  anything  else  to  do  with  how  the  physical  disks  are  organized 
into  RAID  arrays  are  completely  separate  from  the  rest  of  the  GUI. 

We’ve  got  a  similar  beef  with  the  Celeros  product.  The  company  has 
made  a  half-hearted  attempt  to  let  you  jump  between  its  Web  interface 
and  the  RAID  controller  interface,  although  doing  so  required  us  to  fig¬ 
ure  out  which  controller  Celeros  was  using,  find  the  Web  site  of  the  man¬ 
ufacturer,  download  the  manual,  and  discover  the  credentials  needed  to 
look  at  the  controller.  (It’s  “admin”  and  “0000,”  in  case  anyone  else  wants 
to  be  saved  the  trouble.)  Frankly,  it  was  amusing  to  see  something  called 
a  “Unified  Storage  Gateway”  be  so  completely  un-unified. 

Reldata’s  Unified  Storage  Gateway  caught  our  eye  for  another  reason: 
The  GUI  is  so  overly  complicated  and  detailed  that  it  would  be  impossi¬ 
ble  to  generate  correct  configurations  if  you  didn’t  use  the  built-in  wiz¬ 
ards.  This  was  certainly  the  most  difficult  GUI  to  use  in  this  test.  For 
example,  we  were  able  to  set  up  Syslog  so  that  it  was  sending  log  data  to 
our  central  server,  but  we  were  never  able  to  find  that  setting  again  — 
and  Syslog  never  appears  in  the  documentation  we  were  given. 

Ongoing  storage  monitoring 

Monitoring  was  another  part  of  the  management  system  into  which  we 
took  a  deep  dive.  Simple  questions  —  such  as  which  iSCSI  initiators  are 
using  which  virtual  disks,  how  much  CPU  and  memory  capacity  are  in 
use,  and  how  much  disk  I/O  is  occurring  —  should  be  easy  to  view. 
Unfortunately,  only  the  Compellent  StorageCenter  and  the  NetApp 
FAS2050  brought  these  simple  statistics  and  reports  summarizing  them 
out  to  where  they  could  be  easily  seen. 

Each  of  the  other  products  had  some  strange  dysfunction  in  these  rel¬ 
atively  simple  areas.  For  example,  Dell’s  PS5000XV  gave  us  physical  disk 
statistics,  but  not  virtual  disk  statistics. That’s  interesting,  but  not  very  use- 
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Compellent’s  Topology  Explorer  gives  a  real-time  view  of 
which  iSCSI  initiators  are  connected  to  which  virtual  disks 
on  the  iSCSI  server,  giving  a  valuable  view  of  which  devices 
are  in  use  and  by  whom. 


ful  because  you  don’t  manage  physical  disks  at  all  in  the  PS5000XV  — 
only  virtual  disks.  Although,  Dell  did  tug  at  our  heart  strings  by  automati¬ 
cally  generating  a  multi-router  traffic  generator  config  file  to  help  inte¬ 
grate  monitoring  of  a  Dell  array  with  existing  common  tools.  If  the  statis¬ 
tics  aren’t  helpful,  however,  it  doesn’t  matter  how  easy  it  was  to  get  them. 

Reporting  and  alerting 

Some  of  the  iSCSI  systems  we  tested  had  the  ability  to  continuously 
report  on  a  wide  variety  of  performance  statistics. This  feature  was  easy 
to  use  and  gave  us  useful  and  timely  statistics  in  the  Compellent 
StorageCenter,  HP  StorageWorks  2012i  and  Kano  NetCOR  7500.  Reldata’s 
Unified  Storage  Gateway  looked  as  if  it  had  nice  reporting, except  that  its 
performance  monitors  wouldn’t  display  in  our  GUI.  Similarly,  StoneFly 
looked  good  at  first  glance,  until  we  tried  to  get  useful  data  out  of  the 
report,  which  ended  up  being  more  of  an  endurance  and  color-discrim¬ 
ination  test  than  a  source  of  useful  information. 

The  only  product  we  tested  that  had  a  traditional  reporting  tool  to  gen¬ 
erate  regular  reports  for  offline  viewing  was  the  FalconStor  NSS-S12. 

Finally  we  looked  for  logging  and  alerting  tools  to  help  integrate  these 
devices  into  existing  network  management  schemes.  Surprisingly,  we 
found  that  only  a  few  of  the  products  were  willing  to  link  with  existing 
Syslog  logging  servers  and  SNMP  network-management  tools. 
Compellent’s  StorageCenter  supported  both  Syslog  and  SNMP  as  did 
Dell’s  PS5000XV  NetApp’s  FAS2050,  Nexsan’s  SATAbeast  and  Reldata’s 
Unified  Storage  Gateway  HP’s  StorageWorks  2012i  supported  SNMP  but 
not  Syslog. 

LeftHand  Networks’  NSM  2120  did  support  Syslog  and  SNMRalthough 
the  Syslog  configuration  interface  ranks  in  our  books  as  one  of  the  most 
difficult  we’ve  used.  Rather  than  simply  pointing  log  files  to  a  Syslog 
server,  you  have  to  individually  configure  each  of  about  30  log  files  to 
send  their  data  to  a  Syslog  server  —  and  you  have  to  repeat  this  process 
for  each  individual  storage  module  in  your  configuration. 

Alerting  features  in  these  devices  also  ranged  from  bad  to  good.  We 
were  specifically  looking  for  the  ability  to  configure  alerts  via  e-mail  or 
SNMP  traps.  In  the  case  of  e-mail  alerting,  we  wanted  useful  information 
to  show  up  in  the  messages  and  we  wanted  the  ability  to  set  the  level  of 
severity  for  which  alerts  would  occur.  The  best  examples  were  in  the 
Dell  PS5000XY  FalconStor  NSS-S12,  HP  StorageWorks  2012i  and  Kano 
NetCOR  7500. 
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Server  Technology 

Solutions  for  the  Data  Center  Equipment  Cabinet 

Basic  CDU 

>  Reliable  &  Economical 

Metered  CDU 

>  Local  Input  Current  Monitoring 

>  Simple  3-Phase  Load  Balancing 

Smart  CDU 

>  Local  Input  Current  Monitoring 

>  Supports  External  Temp.  &  Humidity  Probes 

>  Secure  IP  &  Serial  Monitoring  of  Power, 
Temperature  &  Humidity 

Switched  CDU 

>  Local  Input  Current  Monitoring 

>  Supports  External  Temp.  &  Humidity  Probes 

>  Secure  IP  &  Serial  Monitoring  of  Power, 
Temperature  &  Humidity 

>  Remote  Power  Control  for  Each  Outlet: 
ON/OFF/Reboot  with  Graceful  Server  Shutdown 

>  Smart  Load  Shedding 

>  kW  per  In-Feed,  Per  Cabinet,  or  Per  Square  Feet 
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Oracle  unveils  security  tools 


**The  entitlement  management  market  is  one  that  is  really 
immature.  But  Oracle  has  one  of  the  better  products  and  they 
are  in  a  good  position.55 


BY  JOHN  FONTANA 

Oracle  last  week  unveiled  a  suite  of  access 
management  tools  including  a  server  that  pro¬ 
vides  controls  to  fine-tune  user  privileges. 

The  Oracle  Access  Management  Suite  is  a 
bundle  of  software  the  company  has  collected 
from  the  acquisitions  of  Oblix,  Bharosa  and 
BEA.The  suite  provides  users  with  a  range  of 
authentication  and  authorization  technologies 
to  support  Web  application  single  sign-on 
(SSO),  strong  authentication,  fraud  protection 
and  cross  enterprise  federation  and  SSO. 

In  addition,  Oracle  released  what  it  calls  the 
Entitlements  Server,  which  is  a  rebranding  of 
the  former  BEA  AquaLogic  Enterprise  Security 
software.The  server  relies  on  policies  and  user 
attributes  such  as  title  or  location  to  craft 
sophisticated  access  controls  around  any  net¬ 
work  resource  including  documents. 

The  Entitlements  Server  supports  Extensible 
Access  Control  Markup  Language  (XACML)  for 
policy  interoperability 

The  other  servers  in  the  suite  are  the 
Adaptive  Access  Manager  for  strong  authenti- 


Gerry  Gebel 

Analyst,  Burton  Group 

cation  and  fraud  protection,  Access  Manager 
for  Web  SSO,  and  Identity  Federation  for  cross 
domain  access  controls. 

Oracle  will  continue  to  sell  the  pieces  sepa¬ 
rately 

The  suite  also  integrates  with  middleware 
including  Oracle  Fusion,  Oracle  applications, 
Office  ShareFbint  Server,  IBM  WebSphere  and 
BEA  Weblogic. 

Oracle  officials  say  they  have  done  integra¬ 
tion  and  certification  around  the  products  to 
ensure  that  they  work  together,  but  the  compa¬ 
ny  has  work  ahead  of  it  to  mold  the  four  pieces 
into  a  cohesive  unit. 

“It  is  relatively  easy  to  put  together  a  strategy 
and  vision  for  all  of  this,  but  the  engineering 


work  is  going  to  be  significant  for  them,”  says 
Gerry  Gebel, an  analyst  with  the  Burton  Group. 
But  Gebel  says  the  move  toward  entitlement 
management  is  a  good  one  for  Oracle. 

“The  entitlement  management  market  is  one 
that  is  really  immature,”  Gebel  says.“But  Oracle 
has  one  of  the  better  products  and  they  are  in 
a  good  position.” 

The  Entitlements  Server,  Access  Manager  and 
Identity  Federation  are  all  deployed  behind  the 
firewall,  while  the  Adaptive  Access  Manager 
installs  as  a  proxy  protecting  the  Web  infra¬ 
structure.  The  servers  can  be  integrated  with 
corporate  directories  that  support  the 
Lightweight  Directory  Access  Protocol. 

“The  thing  we  saw  over  the  last  two  to  three 
years  was  that  customers  were  piecing  all 
these  elements  together  as  they  built  a  com¬ 
prehensive  strategy  says  Amit  Jasuja,  vice  pres¬ 
ident  for  identity  management  at  Oracle.They 
were  dealing  with  all  the  integration,  certifica¬ 
tion,  patching.” 

Jasuja  says  Oracle  expects  the  suite  to  com¬ 
pete  with  offerings  from  IBM,  Sun  and  CA. 

The  Oracle  Access  Management  Suite  is 
priced  at  $45  per  internal  user  and  $12  per 
external  user.  ■ 


Cisco  to  purchase  home- 
network  software  vendor 


BY  NANCY  GOHRING  ,  IDG  NEWS  SERVICE 

Cisco  announced  plans  to  buy  Pure 
Networks,  a  company  that  has  developed  soft¬ 
ware  aimed  at  making  home  networking  easi¬ 
er,  for  $120  million. 

Pure’s  software  helps  users  set  up  and  man¬ 
age  networks.  It  can  be  used  to  connect  PCs, 
Macintosh  computers,  printers  and  other 
devices  in  homes  or  small  offices.  The  soft¬ 
ware  also  helps  users  manage  security  on  the 
network  and  identify  where  problems  might 
be  occurring. 

Cisco  uses  software  from  Pure  in  its  Linksys 
Easy  Link  Advisor,  a  product  that  helps  Cisco 
customers  set  up  their  home  networks. 

The  network  giant  says  the  industry  is  mov¬ 
ing  from  one  where  home  networking 
involves  sharing  a  broadband  connection 
among  PCs  and  peripherals  to  one  that  con¬ 
nects  multiple  networks,  applications  and  ser¬ 
vices.  Cisco  expects  to  build  on  Pure’s  soft¬ 
ware,  adding  new  capabilities  to  it. 

Many  consumer  electronics  developers  and 
network  companies  have  talked  about  a 
vision  for  connecting  a  wide  variety  of  devices 
in  the  home  —  such  as  TVs,  computers  and 
even  the  refrigerator  —  via  networks,  but  that 
vision  has  been  slow  to  come  to  fruition, main¬ 


ly  due  to  incompatible  technologies  and  com¬ 
plexity 

Cisco  expects  the  deal  to  close  in  the  first 
quarter  of  its  2009  fiscal  year.  It  plans  to  retain 
Pure’s  employees,  including  an  R&D  team, 
which  will  work  under  Cisco’s  Linksys  divi¬ 
sion.  The  acquisition  includes  Pure  intellectu¬ 
al  property  ■ 
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City  of  San  Francisco  management  fails 

B 


y  now  you  must  have  heard  about  Terry 
Childs,  the  so-called  “rogue”  network 
administrator  of  the  City  of  San  Francisco. 
Childs  is  accused  of  four  counts  of  tampering 
with  a  computer,  which  includes  creating 
BACKSPIN  secret  passwords  to  city  network  infrastructure 
C),  ,  p  . ,  ,  that  he  will  not  reveal  and  installing  software  to 

IviarK  blDDS  monitor  email  from  the  city  managers  that 

might  be  about  him. 

Childs  has  been  variously  characterized  as  crazy  looking  for  revenge 
and  even  a  terrorist,  but  as  always  the  truth  is  far  more  complex. The 
best  discussion  of  what  the  whole  sad  case  is  about  can  be  found  in  a 
terrific  analysis  “Why  San  Francisco’s  network  admin  went  rogue,”  by 
Paul  Venezia  (www.nwdocfinder.com/5933). 

The  article  illustrates  that  this  case  is  a  world-class  example  of  really 
bad  IT  strategizing  coupled  with  remarkably  bad  management.  Childs 
apparently  took  his  job  way  too  seriously  —  all  accounts  of  the  man 
say  he  was  talented  and  a  hard  worker  but  also  that  he  was  arrogant,  a 
poor  communicator  and  poorly  managed.  But  at  the  heart  of  it  all  was 
that  the  city  simply  had  no  overall  security  plan.  Why?  Well,  it  appears 
that  management  just  didn’t  care  despite  the  fact  that  Childs  created 
and  put  forward  security  plans  on  numerous  occasions,  all  of  which 
were  ignored. 

What  the  City  of  San  Francisco  lacked  was  an  overall  Information 
Technology  strategy  What  the  city  had  was  a  load  of  tactics  flying  in 
formation,  and  it  seems  that  Childs  was  all  too  aware  that  this  was  the 
case.  Being  the  kind  of  guy  he  is,  it  seems  that  Childs  came  to  see  the 
city  network  as  his  sole  responsibility  and  controlling  and  keeping  it 
safe  some  kind  of  prime  directive.  Like  a  human  Skynet,he  respond¬ 
ed  to  perceived  threats  in  an  inappropriate  and  unexpected  manner 


(on  the  plus  side  at  least  in  this  case  it’s  unlikely  we’ll  have  to  watch 
Keanu  Reeves  “act”  Childs’ role). 

The  popular  press  has  thrown  in  its  two  cents’ worth,  which  has  illu¬ 
minated  the  fearfulness  and  irrationality  of  both  the  city’s  manage 
ment  and  the  public.The  city  seems  to  have  been  responsible  for 
escalating  the  situation  into  a  legal  frenzy  while  citizens  have  respond¬ 
ed  with  anger  and  outrage  (public  comments  to  online  news  items 
have  even  suggested  using  waterboarding  to  encourage  Childs  to 
reveal  the  passwords). 

So,  who  is  to  blame  for  this  mess?  I’d  suggest  that  it  isn’t  actually 
Childs,  rather  it  is  a  management  problem  of  such  huge  proportions 
that  the  mayor  of  San  Francisco,  Gavin  Newsom,  is  to  blame.  If  the  city 
was  a  commercial  corporation  he’d  be  the  CEO,  and  when  a  company 
goofs  in  a  really  big  way  such  that  shareholder  value  tanks,  then  that’s 
where  the  buck  stops. 

In  the  case  of  a  city,  the  shareholder  (aka  the  citizen)  value  lies  in 
the  quality  of  the  services  provided, such  as  road  upkeep,  water  deliv¬ 
ery  and  treatment,  and  especially  emergency  services.  Without  infor¬ 
mation  and  communications  these  services  are  considerably  dimin¬ 
ished  in  value.  While  the  San  Francisco  network  is  effectively  locked 
up,  only  Childs  can  unlock  it  should  anything  go  wrong. 

Newsome’s  management  insight  is  obviously  deficient  when  it 
comes  to  what  makes  his  city  work,  which  is  IT.  As  a  result  the  city  will 
have  to  spend  millions  of  dollars  regaining  control  of  its  network  and 
prosecuting  a  poor  schmo  who  took  his  job  way  too  seriously  I  won¬ 
der  if  Newsom  will  get  reelected?  If  he  does  runs  again  will  anyone 
bring  up  the  crackerjack  city  management? 

Gibbs  doesn ’t  run  in  Ventura ,  Calif.  He  sits  and  waits.  Wait  with  him  at 
backspin@gibbs.com. 


Making  data-breach  research  easier 


NET'  UZZ 

News,  Insights,  oddities 


The  monstrous  data  breaches  involving 
millions  of  records  make  all  the  headlines 
—  TJX,  AOL,  the  Veterans  Administration. 
However,  it’s  those  whoppers  combined  with 
the  rat-a-tat-tat  of  seemingly  daily  divulgences 
involving  lesser-known  entities  and  fewer  vic¬ 
tims  that  add  up  to  a  costly  and  so-far-uncon- 
trolled  societal  headache. 

Logging  these  incidents  and  assembling  reli- 
able  research  data  about  the  problem  has 
been  a  bailiwick  of  security  Web  site  Attrition.org  since  July  2005  — 
and  has  at  times  proven  daunting,  as  the  database  now  contains  more 
than  1,000  incident  reports  covering  some  330  million  records.  Into 
the  breach, so  to  speak, steps  the  Open  Security  Foundation,  which 
recently  announced  it  will  formally  maintain  the  DataLossDB  —  also 
known  as  the  Data  Loss  Database  —  Open  Source. 

Attrition.org  staff  member  Kelly  Todd,  a  DataLossDB  project  leader, 
tells  me  that  a  primary  motivation  behind  the  change  is  to  increase 
public  contributions  to,  and  involvement  in,  the  database. 

“In  the  past.Attrition.org  was  approached  by  quite  a  few  entities  in 
the  public  and  private  sectors  for  input  into  their  studies, ’’Todd  says. 
“The  information  itself  will  hopefully  become  more  complete  and 
accurate  with  community  contributions,  which  should  lend  to  more 
analysis  about  how  and  why  data  breaches  occur,  and,  possibly  [and 
hopefully]  how  they  can  be  prevented  in  the  future.” 

Of  course,  there  will  be  quality  controls. 

‘Anonymous  submissions  will  be  allowed,  but  we’re  hoping  that  peo¬ 
ple  will  sign  up  for  an  account  so  we  can  give  credit  to  anyone  who 
contributes  to  the  data  set, ’’Todd  says.  “All  submissions  will  be  moder¬ 
ated  by  a  core  team  of  volunteers  for  accuracy’ 

I  asked  Todd  if  the  escalation  of  the  DataLossDB  project  was  an  indi¬ 


cation  that  data  breaches  in  general  are  likely  to  remain  a  growth 
industry 

“As  far  as  actual  breaches  go,  no  one  can  say  for  sure  if  they’ll 
increase  or  decrease,  but  public  reporting  and  awareness  has  definite¬ 
ly  increased  in  the  last  few  years,”  he  says. 

Real  reasons  these  10  states  get  the  most  spam 

MessageLabs  has  released  a  list  of  the  states  that  receive  the  most 
spam  . . .  and  the  security  vendor  offers  this  highfalutin  explanation 
for  why  these  10  are  most  targeted:  “The  varying  spam  levels  across 
states  can  be  attributed  to  different  socioeconomic  factors  and  levels 
of  security  awareness  in  each  state.” 

Uh,  maybe.  Here  are  the  10  states  in  order  of  ascending  spaminess 
. . .  and  my  take  on  the  real  reasons  they  are  junk  e-mail  magnets: 

10.  Alabama:  Just  announced  a  crackdown  on  diploma  mills  —  a 
leading  industry,  apparently  —  which  should  drop  the  state  off  this  list 
in  no  time. 

9.  Pennsylvania:  Its  lawmakers  are  too  busy  policing  the  NFL. 

8.Texas:  Construction  behind  schedule  on  antispam  border  fence. 

7.  Indiana:  Name  a  town  Santa  Claus,  expect  a  lot  of  mail. 

6.  North  Carolina:  Even  spammers  hate  Duke. 

5.  Wisconsin:  Cheese-head  hats  prove  ineffective  spam  deterrent. 

4.  New  Hampshire:  Ban  on  spam  filters  takes  that  “Live  Free  or  Die” 
thing  a  bit  too  far. 

3.  Oregon:  Spam  turned  back  at  California  line  has  to  go  somewhere. 

2.  South  Dakota: That  lone  e-mail  account  makes  for  an  inviting  tar¬ 
get. 

1.  Illinois:  Obviously,  Obama’s  weak  on  network  security. 

Any  questions? 

Direct  them  to  buzz@nww.com. 
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Don't  touch  it.  Don't  move  it. 

Contrary  to  what  they  might  say,  VoIP  isn't  synonymous 
with  "starting  over"  (a.k.a.  ripping  and  replacing).  That's  because 
it's  no  longer  about  hardware.  It's  actually  about  software. 
Now  you  can  keep  your  hardware — your  PBX,  your  gateways, 
even  your  phones.  Move  to  VoIP  with  software.  Software  that 


realize.  Learn  more  at 
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microsoft.com/voip 
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ALTERNATIVE  THINKING  ABOUT  SERVER  M/ 


The  HP  BladeSystem  c-Class  helps  free  I.T.  from  the  cycle  of  server  management.  It's 
Architecture,  which  virtualizes  your  IAN/SAN  settings,  so  you  only  wire  once  and  can  make  netwo 
This  drastically  improves  efficiency  and  service  levels  and  gives  you  the  time  to  focus  on  the  tf 


<clusive  Virtual  Conner 
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Technology  for  better  business  outcomes. 
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To  learn  more,  call  1-888-860-9573  or  visit  hp.com/go/BeReady46 


